Disclaimer: This article is the English counterpart automatically generated from the original Chinese blog by Codex + GPT-5. The translation aims to preserve the original meaning, structure, and technical details as faithfully as possible. If there is any ambiguity or inaccuracy, please refer to the original Chinese version.

Discrete Fourier Transform

Let an \(n-1\) degree polynomial be written as

In particular, we assume that the polynomial degree bound, or equivalently the length of the coefficient vector, is \(n = 2^k\). In the non-power-of-two case, we can pad the higher-degree coefficients with zeros until the coefficient-vector length becomes a power of two. Let the \(n\)-th roots of unity be \(w_{n,k} = e^{\frac{2 k \pi i }{n}}\), where \(k \in [0..n-1]\), and let the primitive root of unity be \(w_{n} = w_{n, 1} = e^{\frac{2 \pi i }{n}}\). They all satisfy \(x^n = 1\).

The coefficient-vector representation of a polynomial is the most common one, namely \(\vec{A} = (a_0, a_1, \ldots, a_{n-1})\) above. The discrete Fourier transform is a special evaluation representation: it represents the polynomial as a vector of evaluations at the special \(n\)-th roots of unity:

The inverse discrete Fourier transform essentially converts the evaluation representation of a polynomial back into the usual coefficient-vector form. This transformation is also better known as Lagrange interpolation for polynomials. Thus, the (inverse) discrete Fourier transform is an algorithm for converting between these two representations, namely the following maps:

Convolution and Fourier Transform

In communications, the Fourier transform (Continuous Time Fourier Transform) is usually a powerful tool for studying continuous signals. It converts continuous time-domain information into frequency information, or a spectrum:

On existing computers, however, it is impossible to simulate a fully continuous time-domain signal. Therefore, the discrete Fourier transform has greater practical value, and this leads naturally to the discrete-time Fourier transform.

1. Discrete Fourier Transform (DFT) converts a sequence of complex numbers \(\{x_n\} := x_0, x_1, \dots, x_{N-1}\) into another sequence of complex numbers of the same length \(\{X_k\} := X_0, X_1, \dots, X_{N-1}\). Its forward transform is mathematically defined as follows:

   \[X_k = \sum_{n=0}^{N-1} x_n \cdot e^{-i 2\pi \frac{k}{N} n}, \quad k = 0, \dots, N-1\]

   Here \(x_n\) is the sampled signal in the time domain, \(X_k\) is the frequency component in the frequency domain, and \(N\) is the sequence length. The term \(e^{-i 2\pi \frac{k}{N} n}\) is the complex exponential basis function, which can be expanded by Euler’s formula as \(\cos(2\pi \frac{k}{N} n) - i \sin(2\pi \frac{k}{N} n)\).

2. Inverse Discrete Fourier Transform (Inverse DFT) recovers the time-domain sequence from the frequency-domain sequence:

   \[x_n = \frac{1}{N} \sum_{k=0}^{N-1} X_k \cdot e^{i 2\pi \frac{k}{N} n}, \quad n = 0, \dots, N-1\]

   Note that signal-processing conventions usually use a negative exponent for the forward DFT, whereas this article uses a positive exponent convention from the polynomial-evaluation perspective: \(y_k=\sum_{j=0}^{n-1}a_j w_n^{kj}\). The two directions are conjugate to each other; what matters is that the forward and inverse transforms are used consistently.

Switching back to the polynomial perspective, we obtain the following somewhat imprecise analogy:

In essence, convolution and multiplication are equivalent: multiplying two polynomials is essentially taking the linear convolution of their coefficient sequences. To make the later discussion of NTT more convenient, we directly consider the integer quotient ring \(\mathbb{Z}_q[x]\) here.

It is easy to verify that the linear convolution above is equivalent to polynomial multiplication. After a polynomial is transformed into its evaluation form by the discrete Fourier transform, convolution operations become more convenient. Beyond linear convolution, cryptography often uses cyclic convolution:

• Positive wrapped convolution (PWC): equivalent to multiplication in the polynomial quotient ring \(\mathbb{Z}_q[x] / (x^n - 1)\)
• Negative wrapped convolution (NWC): equivalent to multiplication in the polynomial quotient ring \(\mathbb{Z}_q[x] / (x^n + 1)\)

Negacyclic convolution, also often called Negative Wrapped Convolution (NWC), is one of the core acceleration operations in lattice-based cryptography such as Kyber and Dilithium, as well as in fully homomorphic encryption.

Fast Fourier Transform

How can we implement \(\mathcal{O}(n \log n)\) algorithms for \(\mathsf{DFT}\) and \(\mathsf{iDFT}\)? We know that ordinary point evaluation costs \(\mathcal{O}(n)\), so the naive \(\mathsf{DFT}\) has complexity \(\mathcal{O}(n^2)\). The naive Lagrange interpolation algorithm also has complexity \(\mathcal{O}(n^2)\). The core of the Fast Fourier Transform lies in the special root-of-unity basis vector used by the evaluation representation:

The central algorithmic idea is divide and conquer. We know that:

Here \(A_0(x), A_1(x)\) are both polynomials with only \(\frac{n}{2}\) coefficients, satisfying:

DFT Algorithm \(\mathcal{O}(n \log n)\)

Let \(T_{\mathsf{DFT}}(n)\) denote the time complexity of computing the discrete Fourier transform of a degree-\(n\) polynomial. From the decomposition \(A(x) = A_0(x^2) + xA_1(x^2)\), if we can obtain the \(\mathsf{DFT}\) vector of \(A\) in \(O(n)\) time from the known \(\mathsf{DFT}\) vectors of \(A_0\) and \(A_1\), then the complexity satisfies the following recurrence:

By the Master theorem for recurrences, the final time complexity of this recursive algorithm is \(\mathcal{O}(n \log n)\). A key observation is that squaring the vector of \(n\)-th roots of unity, \(\vec w^2 = (w_n^0, w_n^2, \ldots, w_n^{2(n-1)})\), gives exactly all \(\frac{n}{2}\)-th roots of unity. Therefore, the input pattern in the evaluation representations of \(A_0(x)\) and \(A_1(x)\) matches that of \(A(x)\) precisely. More concretely, suppose we already know \(A_0(x), A_1(x)\) and their discrete Fourier transforms:

Using the special properties of roots of unity:

Therefore, the \(n\) evaluation values of \(\mathsf{DFT}(A)\) can be recovered as follows:

Written more elegantly:

This formula is also called the butterfly formula. The whole recursive expression is quite elegant: using the butterfly formula, one only needs \(\mathcal{O}(n)\) time to recover the DFT of \(A\) from the DFTs of \(A_0\) and \(A_1\). In summary, we have obtained a recursive \(\mathcal{O}(n \log n)\) algorithm for the discrete Fourier transform \(\mathsf{DFT}\).

iDFT Algorithm \(\mathcal{O}(n \log n)\)

Simply put, this is polynomial interpolation. Lagrange interpolation can compute it in \(\mathcal{O}(n^2)\) time. Essentially, this is solving a system of linear equations:

Here \(\mathbf{V} \in \mathbb{C}^{n \times n}\) is the Vandermonde matrix. Its inverse is:

Therefore, the Lagrange interpolation formula in this special form is also very elegant. We can directly express \(a_{k}\) in polynomial form as:

This gives us a problem almost identical to the expression \(y_k = \sum_{j=0}^{n-1} a_j w_n^{k j}\) for \(\mathsf{DFT}\). The key changes are:

The recursive algorithm from the previous section applies equally well in this setting. In summary, we have obtained a recursive \(\mathcal{O}(n \log n)\) algorithm for the inverse discrete Fourier transform \(\textsf{iDFT}\).

The core of FFT acceleration: The fundamental reason FFT is fast is the periodicity of roots of unity:

\[w_{n}^{n} = 1, \quad w_{n}^{\frac{n}{2}} = -1\]

This allows many computations to be reused, which is the essence of the recursive acceleration. In the later discussion of NTT, we will further explain how to reuse computation through the periodicity of roots of unity.

Fast Number Theoretic Transform

In cryptography, we usually care about polynomials over integer rings. More specifically, we care about polynomials over the integer quotient ring \(\mathbb{Z}_{q}\), and in most cases we regard \(q\) as a prime. In this section, all multiplication operations are explained through convolution, namely the following correspondence:

Over integer quotient rings, we need to find a root of unity with the same properties as \(e^{\frac{2\pi i}{n}}\) in the discrete Fourier transform: the primitive root of unity over \(\mathbb{Z}_{q}\) defined below.

Linear / Positive Wrapped Convolution

It is easy to verify that the two matrices corresponding to the expressions above in \(\hat{\mathbf{a}}\) and \({\mathbf{a}}\) are inverses of each other:

Thus, linear convolution can be computed via NTT as follows. Note that when computing linear convolution in \(\mathbb{Z}_q[x]\), one should choose a transform length \(m \ge 2n-1\) and zero-pad the input:

The acceleration techniques from FFT can be transferred completely to NTT and iNTT. Earlier, we mentioned that if we want to compute linear convolution over \(\mathbb{Z}_q[x]\), the dimension of \(\mathbf{c}\) should be \(2n - 1\). If we only use an \(n\)-th primitive root of unity and a transform of length \(n\), then we do not obtain linear convolution, but cyclic convolution. At this point, switching to the polynomial perspective, the values obtained after convolution are still the genuine values of \(A(\omega^i) \cdot B(\omega^i) \bmod q\), but the coefficients of monomials of degree \(\ge n\) have been cyclically accumulated into lower-degree coefficients. Because we are using an \(n\)-th primitive root, it satisfies \(x^{n + k} = x^k\), which is equivalent to:

That is, the result is reduced modulo the polynomial \({x^{n} - 1}\). In coefficient terms, the true higher-degree monomial coefficients are cyclically accumulated into lower-degree monomial coefficients, which is exactly the expression for positive wrapped convolution:

Let \(\textsf{NTT}_{n}^{\omega}(\cdot)\) denote the number theoretic transform acting on an \(n\)-dimensional vector using the primitive generator \(\omega\). Unless otherwise specified, we omit the parameter \(n\) and assume it matches the actual vector dimension, writing it simply as \(\textsf{NTT}^{\omega}(\cdot)\). We then obtain the following proposition.

The more essential point is that the \(n\)-th primitive roots selected by NTT all satisfy:

Therefore, the final result is plainly equivalent to the result after reducing modulo the polynomial \(x^n - 1\). This gives a more intuitive understanding of PWC and also helps us understand the mathematical intuition behind NWC in the next section.

Negacyclic Convolution

Next, consider how to compute negacyclic convolution. From the expression

We naturally think that coefficients of monomials of degree \(\ge n\) are also accumulated into the corresponding lower-degree terms after reducing degrees modulo \(n\), except that their contribution to the coefficients is negative. Thus, we naturally want the relation \(x^{n + k} = -x^{k}\). In other words, the primitive root \(\varphi\) for this NTT should satisfy \(\varphi^{n} = - 1\), so \(\varphi\) is a primitive \(2n\)-th root of unity. However, if we simply replace \(\omega\) in positive wrapped convolution by \(\varphi\), this does not directly produce negacyclic convolution; instead, it introduces a frequency shift or a mathematical mismatch. Moreover, the evolution of twiddle factors in the standard NTT is based on the primitive-root sequence \(\omega^0, \omega^1, \omega^2, \ldots, \omega^{n-1}\) satisfying \(x^n = 1\). If we simply replace it by \(\varphi^0, \varphi^1, \varphi^2, \ldots, \varphi^{n-1}\), then half of these \(2n\)-th roots of unity do not have a consistent identity of either \(x^n = 1\) or \(x^n = -1\), and this property is crucial for fast NTT. Here I give two mathematical ways to understand NWC constructions.

Let \(\varphi\) be a primitive \(2n\)-th root of unity, and let \(\omega\) be a primitive \(n\)-th root of unity satisfying \(\omega = \varphi^2\).

The two viewpoints above yield the same result. We obtain the formal definition of the negacyclic Number Theoretic Transform as follows.

Similarly, by inverting the Vandermonde matrix, we can obtain the formula for the inverse negacyclic Number Theoretic Transform. It is worth pointing out that the paper https://eprint.iacr.org/2024/585.pdf contains a major typo in its definition of iNTT.

It is easy to verify that the two matrices corresponding to the expressions above in \(\hat{\mathbf{a}}\) and \({\mathbf{a}}\) are inverses of each other:

The Essence of the Number Theoretic Transform

Returning to the algebraic perspective, the essence of the Number Theoretic Transform is ring decomposition and isomorphism. We take NWC as an example. Let \(\varphi\) be a primitive \(2n\)-th root of unity over \(\mathbb{Z}_q\). Then the cyclotomic polynomial \(C(X) = X^{n} + 1\) has the following factorization:

By the Chinese Remainder Theorem, there is a ring isomorphism:

For each factor \(\alpha = \varphi^{2i + 1}\), we have \(\mathbb{Z}_q[X] / (X - \alpha) \cong \mathbb{Z}_q\) through the map \(X \mapsto \alpha\), i.e. evaluating the polynomial at the point \(\alpha\). Therefore, the isomorphism above can be further simplified as:

For a polynomial \(A(X) \in \mathbb{Z}_q[X] / (X^n + 1)\) with coefficient vector \(\mathbf{a}\), the NTT and inverse NTT are essentially a ring isomorphism.

The essence of the Fast Fourier Transform and the fast Number Theoretic Transform is that the group isomorphism above also admits the following recursive divide-and-conquer decomposition:

That is the following CRT isomorphism map:

Similarly, for PWC, the modulus polynomial \(x^n - 1\) admits a similar CRT isomorphism map:

From the ring-isomorphism decomposition above, we can already see the rough shape of the butterfly operation. In the next section, we introduce the butterfly operation of the fast Number Theoretic Transform, namely the Cooley-Tukey algorithm, and the butterfly operation of the fast inverse Number Theoretic Transform, namely the Gentleman-Sande algorithm.

CT/GS Butterfly Algorithms

Let \(\varphi\) be a primitive \(2n\)-th root of unity over \(\mathbb{Z}_q\), and let \(\omega := \varphi^2\) be a primitive \(n\)-th root of unity over \(\mathbb{Z}_q\). Here \(n\) is exactly a power of two, so the recursion can proceed completely.

The key properties of the fast Fourier transform are:

To unify notation, let the number theoretic transform for positive wrapped convolution be denoted by \(\textsf{NTT}^{+}\), and the number theoretic transform for negacyclic convolution be denoted by \(\textsf{NTT}^{-}\). Since \(\omega := \varphi^2\), both can be written uniformly in terms of \(\varphi\):

We only need to consider the negacyclic convolution case below, because the corresponding positive wrapped convolution transform can be obtained easily through coefficient reconstruction \(\mathbf{b}_i :=\varphi^{-i} \cdot \mathbf{a}_i\).

Fast-NTT: Cooley-Tukey Algorithm

Consider the first ring-isomorphism step below:

Now consider the coefficient with \(J = j + n/2 > n/2\):

This gives some reusable intermediate quantities. Let \(A_j=\sum_{i=0}^{n / 2-1} \varphi^{4 i j+2 i} a_{2 i}\) and \(B_j=\sum_{i=0}^{n / 2-1} \varphi^{4 i j+2 i} a_{2 i+1}\). From the decomposition, we obtain:

The coefficients \(A_j, B_j\) can themselves be computed by \(n/2\)-point NTTs. Define:

Let \(\omega = \varphi^2\) be a primitive \(2 \cdot \left( \frac{n}{2} \right)\)-th root of unity. We have:

We recurse in this way until the NTT coefficients can be computed in constant time.

For the standard NTT for positive wrapped convolution, the recursive structure is the same. One only needs to replace \(\varphi^{2j+1}\) above by \(\omega^j\) and replace the subproblem root by \(\omega^2\).

Fast-iNTT: Gentleman-Sande Algorithm

Recall that the inverse NTT is computed as follows:

The fast computation of the inverse NTT is decomposed as:

The even and odd coefficients can be separated as follows:

Next, we analyze the recursive formula from two perspectives.

Inverting the CT Transform

The Gentleman-Sande inverse transform can be obtained directly by inverting the butterfly formula from the Cooley-Tukey forward transform in the previous section. Recall the CT forward transform in the negacyclic convolution setting. Split the input coefficients by even and odd indices:

Let \(\omega = \varphi^2\). Then \(\omega\) is the primitive \(n\)-th root of unity needed for the length \(n/2\) negacyclic subproblem; in other words, it plays the role of a primitive \(2\cdot(n/2)\)-th root of unity inside the subproblem. Write:

The CT butterfly gives:

The GS inverse transform inverts this linear system layer by layer. Given the evaluation vector \(\hat{\mathbf{a}}\) at the current layer, first pair the upper and lower halves to recover two length \(n/2\) subproblem evaluation vectors:

Then recursively apply length \(n/2\) inverse transforms to \(\mathbf{E}\) and \(\mathbf{O}\):

Finally, interleave the coefficients of the two subproblems:

The recursion terminates at \(n=1\), where the input evaluation vector is already the coefficient vector. Since each butterfly layer multiplies by \(\frac{1}{2}\) and there are \(\log_2 n\) layers in total, the total scaling factor is:

This exactly matches the normalization factor \(\frac{1}{n}\) in the iNTT definition. Therefore, an implementation can use \(2^{-1} \bmod q\) at each layer, without multiplying by \(n^{-1}\) again after the recursion ends.

Deriving the Standard GS Transform

We can derive the recursion directly from the definition of \(\textsf{iNTT}^{\varphi}\). Let the input evaluation vector at the current layer be \(\hat{\mathbf{a}}=(\hat{\mathbf{a}}_0,\ldots,\hat{\mathbf{a}}_{n-1})\), and let the output coefficient vector be \(\mathbf{a}=(\mathbf{a}_0,\ldots,\mathbf{a}_{n-1})\). By definition:

Split the output index \(j\) into even and odd cases. For even index \(j=2k\):

The last step uses \(\varphi^{-4k(i+n/2)}=\varphi^{-4ki}\varphi^{-2kn}=\varphi^{-4ki}\).

For odd index \(j=2k+1\):

The last step uses \(\varphi^{-2(2k+1)(i+n/2)}=-\varphi^{-2(2k+1)i}\).

Now let the primitive root of the subproblem be \(\omega=\varphi^2\), and define two new evaluation vectors of length \(n/2\):

We can observe that the two length \(n/2\) recursive subproblems \(\textsf{iNTT}^{\omega}\) give:

and:

Therefore, directly from the iNTT formula, we obtain the recurrence:

The core of the recursion is computing the vectors \(\mathbf{E}\) and \(\mathbf{O}\):

Notice that the final step interleaves the results of the two recursive subproblems by even and odd indices. The recursive version here does not require bit reversal, and it also does not require an additional multiplication by \(n^{-1}\) at the end, because the \(2^{-1}\) factor at each layer already accumulates to the normalization factor \(n^{-1}\) in the inverse NTT definition.

For the iNTT of positive wrapped convolution, the recursive structure is the same. One only needs to replace \(\varphi^{2j+1}\) by \(\omega^j\) and replace the subproblem root by \(\omega^2\):

\[\begin{cases} E_j = \frac{1}{2}\left(\hat{\mathbf{a}}_j + \hat{\mathbf{a}}_{j+n/2}\right) \\ O_j = \frac{1}{2\omega^j}\left(\hat{\mathbf{a}}_j - \hat{\mathbf{a}}_{j+n/2}\right) \end{cases}\]

Non-Recursive Iterative Butterfly Algorithms

The recursive CT/GS algorithms are best suited for understanding where the formulas come from, but practical implementations usually unroll the recursion into an iterative butterfly network. The essence of recursive CT is that it repeatedly splits subproblems according to the parity of the input index: the first layer looks at the least significant bit, the second layer at the next bit, and so on until the most significant bit. Therefore, the input order at the leaves of the recursion tree is exactly the bit-reversal permutation (BO order) of the original indices. Let \(\operatorname{brv}_{\ell}(i)\) denote the integer obtained by reversing the \(\ell=\log_2 n\) bits of \(i\). For example, when \(n=8\):

Expanding in three bits, the correspondence is:

For \(n = 8\), suppose the input coefficient vector is in natural order (NO): \((a_0,a_1,a_2,a_3,a_4,a_5,a_6,a_7)\). The final output vector is not in natural order, but in BO order: \((\hat a_0 \mid \hat a_4 \mid \hat a_2 \mid \hat a_6 \mid \hat a_1 \mid \hat a_5 \mid \hat a_3 \mid \hat a_7)\). The detailed permutation during the CT operation is:

This is exactly the left-to-right order of the leaf nodes after CT recurses to the bottom. The permutation has order two, so applying the same permutation again flips the sequence from BO order back to normal NO order. In fact:

1. If the input is in BO order, CT butterfly operations produce NO order.
2. If the input is in NO order, CT butterfly operations produce BO order.

Returning to the Gentleman-Sande butterfly operation, the permutation is exactly the same from the output perspective. In short, if we want to obtain the normal NO sequence, we need to permute the result vector back from BO order at the end. After clarifying the ordering, we continue to analyze the iterative form of the Fast NTT algorithm.

Non-Recursive Cooley-Tukey NTT

For the standard NTT for positive wrapped convolution, let \(\omega\) be a primitive \(n\)-th root of unity. The iterative CT algorithm first reorders the input coefficient vector in bit-reversal order, then starts from small blocks of length \(m=2\) and merges upward, doubling \(m\) layer by layer until \(m=n\). Within each block of length \(m\), the local primitive \(m\)-th root of unity is:

For block position \(j=0,\ldots,m/2-1\), the CT butterfly is:

For \(\textsf{NTT}^{\varphi}\) in negacyclic convolution, let \(\varphi\) be a primitive \(2n\)-th root of unity. In a local subproblem of length \(m\), the corresponding primitive \(2m\)-th root of unity is:

The CT butterfly in the negacyclic version only needs to replace the twiddle factor \(\omega_m^j\) in the standard NTT by the odd power:

That is:

Non-Recursive Gentleman-Sande iNTT

The GS inverse transform can be viewed as running the CT butterfly network backward. CT merges from small blocks into larger blocks, so GS splits from large blocks into smaller blocks. For the iNTT of standard positive wrapped convolution, define within a block of length \(m\):

The GS butterfly is:

Here \(\frac{1}{2}\) is placed inside each butterfly layer. Since there are \(\log_2 n\) layers in total, the overall scaling is \(1/n\). Another common form omits the factor \(\frac{1}{2}\) at each layer and instead multiplies by \(n^{-1}\) at the end; the two forms are equivalent. The current code uses the former form, so no additional multiplication by \(n^{-1}\) is needed at the end. After each GS layer, the data still follows the grouping order of recursive splitting. After all layers have been executed, the coefficients are in bit-reversal order, so one more bit reversal is needed to return to natural order.

For \(\textsf{iNTT}^{\varphi}\) in negacyclic convolution, similarly let the local root be:

Then replace \(\omega_m^j\) by \(\varphi_m^{2j+1}\):

离散傅里叶变换

记一个 \(n-1\) 次多项式为

特别地，我们假定多项式次数（系数向量的长度）为 \(n = 2^k\)，在非 2 次幂情形下，我们可以补齐高次零系数直到系数向量的长度等于 2 的次幂。记 \(n\) 次单位元为 \(w_{n,k} = e^{\frac{2 k \pi i }{n}}\)，其中 \(k \in [0..n-1]\)，本原单位元为 \(w_{n} = w_{n, 1} = e^{\frac{2 \pi i }{n}}\)，它们均满足 \(x^n = 1\)。

多项式的系数向量表示方式是最常见的，即上面的 \(\vec{A} = (a_0, a_1, \ldots, a_{n-1})\)。离散傅里叶变换是一种特殊的点值表示，即将多项式表示为特殊的 \(n\) 次单位元的点值向量：

逆离散傅里叶变换本质就是将多项式的点值表示转换成一般的向量形式，这个变换另一个更为人所知的说法是多项式的拉格朗日插值算法。故（逆）离散傅里叶变换就是将这两种表示方式进行相互转换的算法。即下面的映射：

卷积与傅里叶变换

在通信领域，傅里叶变换（Continuous Time Fourier Transform ）通常是研究连续信号的强有力的工具，将连续的时域上的信息转换为频率信息或者频谱：

而在现有的计算机下，模拟完全连续的时域信号是不可能的，因此离散的傅里叶变换在实际应用中的价值更高，于是就衍生了离散（时间）傅里叶变换。

1. 离散傅里叶变换 (DFT) 将一组复数序列 \(\{x_n\} := x_0, x_1, \dots, x_{N-1}\) 转换为另一组等长的复数序列 \(\{X_k\} := X_0, X_1, \dots, X_{N-1}\)。其正变换 (Forward DFT) 数学定义如下：

   \[X_k = \sum_{n=0}^{N-1} x_n \cdot e^{-i 2\pi \frac{k}{N} n}, \quad k = 0, \dots, N-1\]

   其中 \(x_n\) 是时域中的采样信号，\(X_k\) 是频域中的频率分量，\(N\) 是序列长度。\(e^{-i 2\pi \frac{k}{N} n}\) 是复指数基函数，根据欧拉公式可以展开为 \(\cos(2\pi \frac{k}{N} n) - i \sin(2\pi \frac{k}{N} n)\)。

2. 离散傅里叶逆变换 (Inverse DFT) 将频域序列还原回时域序列：

   \[x_n = \frac{1}{N} \sum_{k=0}^{N-1} X_k \cdot e^{i 2\pi \frac{k}{N} n}, \quad n = 0, \dots, N-1\]

   需要注意的是，信号处理中的 Forward DFT 通常使用负指数约定，而本文在多项式求值视角下使用正指数约定 \(y_k=\sum_{j=0}^{n-1}a_j w_n^{kj}\)。二者互为共轭方向，只要正逆变换保持一致即可。

切换回多项式的视角，我们其实可以得到下面不太精准的规约：

本质上，卷积与乘法是对等的： 两个多项式相乘，本质上就是它们的系数序列在做线性卷积。为了方便后续说明 NTT 的概念，我们这里直接考虑整数商环 \(\mathbb{Z}_q[x]\)。

可以很容易地验证上述线性卷积等价于多项式乘法，而经过离散傅里叶变换后的点值形式的多项式，可以更方便地进行卷积运算。不局限于线性卷积，还有密码学上经常用到的循环卷积函数：

• 正循环卷积（PWC）：等价于多项式商环 \(\mathbb{Z}_q[x] / (x^n - 1)\) 上的乘法运算
• 负循环卷积（NWC）：等价于多项式商环 \(\mathbb{Z}_q[x] / (x^n + 1)\) 上的乘法运算

负循环卷积（Negacyclic Convolution），也常被称为负向折叠卷积（Negative Wrapped Convolution, NWC），是格密码（如 Kyber, Dilithium）和全同态加密中最为核心的加速运算。

快速傅里叶变换

那么如何实现 \(\mathcal{O}(n \log n)\) 复杂度的 \(\mathsf{DFT}\) 和 \(\mathsf{iDFT}\)。我们知道，一般的点值计算复杂度为 \(\mathcal{O}(n)\)，因此朴素的 \(\mathsf{DFT}\) 复杂度为 \(\mathcal{O}(n^2)\)，朴素的拉格朗日插值算法的复杂度也是 \(\mathcal{O}(n^2)\)，而快速傅里叶变换的核心在于点值表示中的特殊的单位元基点向量：

其核心的算法思想就是分而治之（divide and conquer）。我们知道：

其中 \(A_0(x), A_1(x)\) 都是只有 \(\frac{n}{2}\) 个系数的多项式，满足：

DFT 算法 \(\mathcal{O}(n \log n)\)

定义 \(T_{\mathsf{DFT}}(n)\) 为计算 \(n\) 次多项式的离散傅里叶变换的时间复杂度，根据分解 \(A(x) = A_0(x^2) + xA_1(x^2)\)，如果我们可以根据已知的 \(A_0, A_1\) 的 \(\mathsf{DFT}\) 向量，在 \(O(n)\) 时间内得到 \(A\) 的 \(\mathsf{DFT}\) 向量。则我们知道它的复杂度满足下面的递归关系：

由递归算法的主定理，我们知道该递归算法的最终时间复杂度为 \(\mathcal{O}(n \log n)\)。一个关键的观察在于 \(n\) 次单位元向量平方后的 \(\vec w^2 = (w_n^0, w_n^2, \ldots, w_n^{2(n-1)})\) 就是所有的 \(\frac{n}{2}\) 次的单位元，因此 \(A_0(x), A_1(x)\) 的点值表示中的输入模式与 \(A(x)\) 恰好是匹配的。具体来说，假如我们已知 \(A_0(x), A_1(x)\) 和离散傅里叶变换：

注意到单位元的特殊性：

因此 \(\mathsf{DFT}(A)\) 的 \(n\) 点值表示的向量值可以通过如下方式恢复：

写成比较优雅的表达式就是：

上述公式也被称之为蝴蝶公式，整个递归表达式非常优雅，根据蝴蝶公式只需 \(\mathcal{O}(n)\) 的时间复杂度就可以从 \(A_0, A_1\) 的离散傅里叶变换的结果恢复出 \(A\) 的离散傅里叶变换的结果。综上我们给出了离散傅里叶变换 \(\mathsf{DFT}\) 的一个 \(\mathcal{O}(n \log n)\) 的递归算法。

iDFT 算法 \(\mathcal{O}(n \log n)\)

简单来说，这就是多项式插值，利用拉格朗日插值算法可以在 \(\mathcal{O}(n^2)\) 时间内完成，本质上是求解线性方程组，即

其中 \(\mathbf{V} \in \mathbb{C}^{n \times n}\) 就是范德蒙矩阵。这个矩阵的逆为：

因此，该形式下的拉格朗日插值公式也非常之优雅，我们同样可以直接以多项式的形式直接给出 \(a_{k}\) 的表达式。

这就得到了一个几乎与 \(\mathsf{DFT}\) 表达式 \(y_k = \sum_{j=0}^{n-1} a_j w_n^{k j}\) 一模一样的问题，关键变化在于：

上节递归算法同样适用于此情形。综上我们给出了离散傅里叶逆变换 \(\textsf{iDFT}\) 的一个 \(\mathcal{O}(n \log n)\) 的递归算法。

FFT 加速的核心: 快速傅里叶变换加速的根本在于单位元的周期性：

\[w_{n}^{n} = 1, \quad w_{n}^{\frac{n}{2}} = -1\]

从而可以复用很多运算，这样是而递归加速的本质。在之后 NTT 的讨论中，我们将进一步展开如何通过单位元的周期性去复用运算。

快速数论变换

密码学上，我们通常关注整数环上的多项式，更具体地，我们关注整数商环 \(\mathbb{Z}_{q}\) 上的多项式，其中大部分情况下，我们认为 \(q\) 是一个素数。这一节，我们将所有的乘法运算都使用卷积来说明，即下面的对应关系。

在整数商环上，我们需要找到和离散傅里叶变换中 \(e^{\frac{2\pi i}{n}}\) 拥有相同性质的单位元，即下面定义的 \(\mathbb{Z}_{q}\) 上的本原单位元。

线性/正循环卷积

容易验证（证明上述两个表达式关于 \(\hat{\mathbf{a}}\) 和 \({\mathbf{a}}\) 的两个矩阵互为逆）：

从而我们知道线性卷积可以基于 NTT 进行如下计算。需要注意的是，如果计算 \(\mathbb{Z}_q[x]\) 上的线性卷积，应选择变换长度 \(m \ge 2n-1\) 并对输入进行零填充：

同时基于快速傅里叶的优化技术可以完全迁移到 NTT 和 iNTT 上。前面我们提到过，如果想要计算 \(\mathbb{Z}_q[x]\) 上的线性卷积， \(\mathbf{c}\) 的维度应该是 \(2n - 1\)，而如果我们只使用 \(n\) 次本原单位根和长度为 \(n\) 的变换，那么我们不会得到线性卷积，而是循环卷积。这个时候，我们切换到多项式的角度思考，我们卷积后得到的点值其实仍然是真实的 \(A(\omega^i) \cdot B(\omega^i) \bmod q\) 的值，但是 \(\ge n\) 次的单项式系数相当于都被我们循环累加到低次的系数了，但是由于我们使用的是 \(n\) 次本原根，它满足 \(x^{n + k} = x^k\)，这等价于：

即我们会把结果模多项式 \({x^{n} - 1}\)，对应到系数就是真实的高次单项式系数都循环累加到低次单项式的系数上了，也就是正循环卷积的表达式：

记 \(\textsf{NTT}_{n}^{\omega}(\cdot)\) 为使用本原生成元 \(\omega\) 对 \(n\) 维向量作用的数论变换，除非特别说明，我们省略 \(n\) 参数，认为它与实际作用的向量维度一致，默认记为 \(\textsf{NTT}^{\omega}(\cdot)\)。于是我们得到了下面的命题。

其实更本质的意义在于，NTT 选取的 \(n\) 次本原单位根均满足：

因此，最后的结果显然就是等价于在模了多项式 \(x^n - 1\) 之后的结果，这样对 PWC 的理解更为直观，也更利于我们去理解下一节的 NWC 背后的数学直觉。

负循环卷积

接下来我们考虑如何计算负循环卷积，根据表达式：

我们很自然想到，对于 \(\ge n\) 次的单项式系数也同样累加作用到对应的低次项了（次数模 \(n\) 后），只不过此时对系数的贡献是负的，于是我们很自然想到此时应该有关系 \(x^{n + k} = -x^{k}\)，即此时 NTT 的本原单位根 \(\varphi\) 应该满足 \(\varphi^{n} = - 1\)，即 \(\varphi\) 就是 \(2n\) 次的本原单位根。但是很显然，如果我们简单地将正循环卷积中的 \(\omega\) 替换为 \(\varphi\)，这并不能直接得到负循环卷积，而会产生频率偏移或数学意义上的不匹配。另外标准 NTT 的旋转因子（Twiddle Factors）演变规律是基于 \(x^n = 1\) 的本原根序列 \(\omega^0, \omega^1, \omega^2, \ldots, \omega^{n-1}\)，而简单替换为 \(\varphi^0, \varphi^1, \varphi^2, \ldots, \varphi^{n-1}\)，这样一半的 \(2n\) 次本原单位根不具有 \(x^n = 1\) 或者 \(x^n = -1\) 一致的恒等式，而这种性质是快速 NTT 的关键。这里我给出两个 NWC 构造的数学上的理解。

记 \(\varphi\) 是 \(2n\) 次的本原单位根，\(\omega\) 是 \(n\) 次的本原单位根，并且满足 \(\omega = \varphi^2\)。

上面两种方式得到的结果是一致的，我们得到了负循环数论变换的正式定义如下。

同理我们对范德蒙矩阵求逆，可以得到负循环逆数论变换的公式，值的指出的是，https://eprint.iacr.org/2024/585.pdf 这篇论文对 iNTT 的定义存在重大 typo。

容易验证（证明上述两个表达式关于 \(\hat{\mathbf{a}}\) 和 \({\mathbf{a}}\) 的两个矩阵互为逆）：

数论变换的本质

回到代数的视角，数论变换的本质就是环的分解与同构，我们以 NWC 卷积为例。\(\varphi\) 是一个 \(\mathbb{Z}_q\) 上的 \(2n\) 次本原单位根，则分圆多项式（cyclotomic polynomial）\(C(X) = X^{n} + 1\) 存在下面的分解：

由中国剩余定理，我们知道存在下面的环同构：

由于对于每一个因子 \(\alpha = \varphi^{2i + 1}\)，都有 \(\mathbb{Z}_q[X] / (X - \alpha) \cong \mathbb{Z}_q\)（通过映射 \(X \mapsto \alpha\) 实现，即多项式在点 \(\alpha\) 的取值），上述同构可以进一步简化为：

对于多项式 \(A(X) \in \mathbb{Z}_q[X] / (X^n + 1)\)，其系数向量 \(\mathbf{a}\) 的数论变换 NTT 和逆数论变换 iNTT 的本质就是一个环同构。

而快速傅里叶/数论变换的本质在于上面的群同构又同时存在下面的可递归分治的分解：

即下面的 CRT 同构映射：

同理对于 PWC 卷积，其模多项式 \(x^n - 1\) 也存在类似的 CRT 同构映射：

从上面的环同构的分解，我们就大概可以看出蝴蝶操作的雏形了。下一节，我们将介绍快速数论变换的蝴蝶操作（ Cooley-Tukey 算法）与快速逆数论变换的蝴蝶操作（Gentleman-Sande 算法）。

CT/GS 蝴蝶算法

记 \(\varphi\) 是一个 \(\mathbb{Z}_q\) 上的 \(2n\) 次本原单位根， \(\omega := \varphi^2\) 是一个 \(\mathbb{Z}_q\) 上的 \(n\) 次本原单位根，其中 \(n\) 恰好是 2 的次幂，从而保证可以完整递归。

快速傅里叶最关键的性质在于：

为了统一表达形式，我们记正循环卷积的数论变换为 \(\textsf{NTT}^{+}\)，负循环卷积的数论变换为 \(\textsf{NTT}^{-}\)，由于 \(\omega := \varphi^2\)，它们可以统一表示为 \(\varphi\) 的形式

我们接下来只考虑负循环卷积的情形即可，因为通过系数重构 \(\mathbf{b}_i :=\varphi^{-i} \cdot \mathbf{a}_i\)，很容易得到对应的正循环卷积变换。

Fast-NTT: Cooley-Tukey Algorithm

考虑下面的第一步环同构：

考虑 \(J = j + n/2 > n/2\) 的系数：

这实际上给出了一些可重复计算的系数，令 \(A_j=\sum_{i=0}^{n / 2-1} \varphi^{4 i j+2 i} a_{2 i}\) 以及 \(B_j=\sum_{i=0}^{n / 2-1} \varphi^{4 i j+2 i} a_{2 i+1}\)，则根据分解可以得到：

其中 \(A_j, B_j\) 的系数又可以通过 \(n/2\) 个点的 NTT 变换计算得到。定义：

则令 \(\omega = \varphi^2\) 是一个 \(2 \cdot \left( \frac{n}{2} \right)\) 次本原根，我们知道

如此递归直到我们可以以常数时间内计算出 NTT 变换的系数。

对于正循环卷积的标准 NTT，递归结构相同，只需要把上面的 \(\varphi^{2j+1}\) 替换为 \(\omega^j\)，并将子问题根替换为 \(\omega^2\)。

Fast-iNTT: Gentleman-Sande Algorithm

回顾逆 NTT 的计算如下：

逆 NTT 的快速计算，其分解方式如下：

奇偶系数可以差分如下：

接下来我们从两个角度分析递归公式的推导。

反解 CT 变换

Gentleman-Sande 逆变换可以直接反解上一节 Cooley-Tukey 正变换中的蝴蝶公式。回忆负循环卷积场景下的 CT 正变换。将输入系数按奇偶下标拆成：

令 \(\omega = \varphi^2\)，则 \(\omega\) 是长度为 \(n/2\) 的负循环子问题所需的 \(n\) 次本原单位根，即它在子问题中扮演 \(2\cdot(n/2)\) 次本原单位根的角色。记：

则 CT 蝴蝶给出：

GS 逆变换就是对这个线性系统逐层求逆。给定当前层的点值向量 \(\hat{\mathbf{a}}\)，先将上下半区配对，恢复两个长度为 \(n/2\) 的子问题点值向量：

然后递归地对 \(\mathbf{E}\) 与 \(\mathbf{O}\) 做长度为 \(n/2\) 的逆变换：

最后将两个子问题的系数交错合并：

递归终止条件为 \(n=1\)，此时输入点值向量本身就是系数向量。由于每一层蝴蝶都乘以 \(\frac{1}{2}\)，总共有 \(\log_2 n\) 层，因此总缩放因子为：

这正好对应 iNTT 定义中的归一化因子 \(\frac{1}{n}\)。因此实现时在每一层使用 \(2^{-1} \bmod q\)，而不需要在递归结束后再额外乘以 \(n^{-1}\)。

标准 GS 变换推导

我们直接从 \(\textsf{iNTT}^{\varphi}\) 的定义公式推出递归。令当前层输入点值向量为 \(\hat{\mathbf{a}}=(\hat{\mathbf{a}}_0,\ldots,\hat{\mathbf{a}}_{n-1})\)，输出系数向量为 \(\mathbf{a}=(\mathbf{a}_0,\ldots,\mathbf{a}_{n-1})\)。根据定义：

将输出下标 \(j\) 分成偶数与奇数两种情况。对于偶数下标 \(j=2k\)，有：

其中最后一步使用了 \(\varphi^{-4k(i+n/2)}=\varphi^{-4ki}\varphi^{-2kn}=\varphi^{-4ki}\)。

对于奇数下标 \(j=2k+1\)，有：

其中最后一步使用了 \(\varphi^{-2(2k+1)(i+n/2)}=-\varphi^{-2(2k+1)i}\)。

现在令子问题的本原单位根为 \(\omega=\varphi^2\)，并定义两个长度为 \(n/2\) 的新点值向量：

我们可以观察到上面两个长度为 \(n/2\) 的 \(\textsf{iNTT}^{\omega}\) 递归子问题分别给出：

以及：

因此，直接从 iNTT 公式可以得到递归关系：

递归的核心在于 \(\mathbf{E}\) 和 \(\mathbf{O}\) 的向量计算：

注意最后一步是把两个递归子问题的结果按偶数下标与奇数下标交错合并；递归版本这里不需要 bit-reversal，也不需要再额外乘以 \(n^{-1}\)，因为每一层的 \(2^{-1}\) 已经累计成了逆 NTT 定义中的归一化因子 \(n^{-1}\)。

对于正循环卷积的 iNTT，递归结构相同，只需要把 \(\varphi^{2j+1}\) 替换为 \(\omega^j\)，并将子问题根替换为 \(\omega^2\)：

\[\begin{cases} E_j = \frac{1}{2}\left(\hat{\mathbf{a}}_j + \hat{\mathbf{a}}_{j+n/2}\right) \\ O_j = \frac{1}{2\omega^j}\left(\hat{\mathbf{a}}_j - \hat{\mathbf{a}}_{j+n/2}\right) \end{cases}\]

蝴蝶操作的非递归迭代算法

递归版本的 CT/GS 算法最适合理解公式来源，但实际实现通常会将递归展开为迭代的蝴蝶网络。递归 CT 的本质是不断按照输入下标的奇偶性拆分子问题：第一层看最低位，第二层看次低位，直到最高位。因此，递归树最底层的输入顺序恰好是原始下标的 bit-reversal permutation（BO 序）。记 \(\operatorname{brv}_{\ell}(i)\) 表示将 \(\ell=\log_2 n\) 比特的整数 \(i\) 进行二进制位反转。例如当 \(n=8\) 时：

按照三比特展开，对应关系为：

以 n = 8 为例，我们以自然顺序（NO）输入的系数向量为 \((a_0,a_1,a_2,a_3,a_4,a_5,a_6,a_7)\)，最终得到的输出系数向量不是自然序，而是 BO 序： \((\hat a_0 \mid \hat a_4 \mid \hat a_2 \mid \hat a_6 \mid \hat a_1 \mid \hat a_5 \mid \hat a_3 \mid \hat a_7)\)，详细的 CT 操作过程中的置乱如下：

这正是 CT 递归到最底层之后叶子节点从左到右的顺序，整个置乱的阶为 2，再做一次相同的置乱即可从 BO 序列翻转到正常的 NO 序列。事实上

1. 如果输入是 BO 序列，CT 蝴蝶操作后得到 NO 序列。
2. 如果输入是 NO 序列，CT 蝴蝶操作后得到 BO 序列。

再回到 Gentleman-Sande 蝴蝶操作，从结果上看二者的置乱是完全相同的。总之，如果我们想要得到正常的 NO 序列，最后需要将结果向量从 BO 序列置乱回来。顺序分析清楚之后，我们继续分析迭代形式的 Fast NTT 算法

非递归 Cooley-Tukey NTT

对于正循环卷积的标准 NTT，令 \(\omega\) 是 \(n\) 次本原单位根。CT 迭代算法先将输入系数向量按 bit-reversal 顺序重排，然后从长度 \(m=2\) 的小块开始合并，逐层翻倍直到 \(m=n\)。在每个长度为 \(m\) 的块内，局部本原 \(m\) 次单位根为：

对于块内位置 \(j=0,\ldots,m/2-1\)，CT 蝴蝶为：

对于负循环卷积的 \(\textsf{NTT}^{\varphi}\)，令 \(\varphi\) 是 \(2n\) 次本原单位根。在长度为 \(m\) 的局部子问题中，对应的 \(2m\) 次本原单位根为：

负循环版本的 CT 蝴蝶只需要把标准 NTT 的旋转因子 \(\omega_m^j\) 替换为奇数次幂：

即：

非递归 Gentleman-Sande iNTT

GS 逆变换可以看作 CT 蝴蝶网络的反向执行。CT 从小块合并到大块，因此 GS 从大块拆分到小块。对于标准正循环卷积的 iNTT，在长度为 \(m\) 的块内令：

GS 蝴蝶为：

这里把 \(\frac{1}{2}\) 放在每一层蝴蝶中；因为共有 \(\log_2 n\) 层，整体缩放为 \(1/n\)。另一种常见写法是每层不乘 \(\frac{1}{2}\)，最后统一乘 \(n^{-1}\)，二者等价。当前代码采用前一种写法，因此不需要在最后额外乘以 \(n^{-1}\)。GS 每一层执行后，数据仍然保持递归拆分的分组顺序；全部层执行完后得到的是 bit-reversal 顺序的系数，因此最后需要再做一次 bit-reversal 才能返回自然顺序。

对于负循环卷积的 \(\textsf{iNTT}^{\varphi}\)，同样令局部根为：

然后把 \(\omega_m^j\) 替换为 \(\varphi_m^{2j+1}\)：

Disclaimer: This article is the English counterpart automatically generated from the original Chinese blog by Codex + GPT-5.4. The translation aims to preserve the original meaning, structure, and technical details as faithfully as possible. If there is any ambiguity or inaccuracy, please refer to the original Chinese version.

The hash collision problem, or more precisely the second-preimage-style collision search considered here, is a fundamental problem in cryptography and appears throughout the entire discipline. The generic hash-collision algorithms discussed in this article can be divided into the following three categories:

Birthday-Paradox Collision Search

The classical birthday paradox. A well-known question is: in a year with 365 days, how many people are needed so that the probability that at least two people share the same birthday exceeds 50%? Under a fully random model, the answer is 23, which is much smaller than intuition suggests.

Consider the generalized version: given \(k\) people, what is the probability that at least two of them share the same birthday? When \(k > 365\), this probability is 1 by the inclusion-exclusion principle. More generally, given a set of size \(N\), such as the output space of a hash function, we randomly sample \(k \le N\) values from the set with replacement. Let the probability that at least two sampled values are equal be denoted by \(\Pr\left(\text{coll}\right)\). Let \(\Pr\left(z=0\right)\) denote the event that all sampled values are distinct. Then \(\Pr\left(\text{coll}\right) = 1 - \Pr\left(z=0\right)\), where:

Hence the probability that two values coincide, i.e. that a collision occurs, is:

For the birthday-paradox problem, this probability exceeds 50% as soon as \(k \ge 23\). This is much smaller than most people would expect. More generally, when \(k\) is small relative to \(N\), we may use the approximation:

For a hash function with output bit-length \(n\), we obtain

This means that, by the birthday paradox, computing \(\mathcal{O}(2^{n/2})\) random hash values already gives a high probability of finding a collision.

Pollard’s rho

Pollard’s rho method was originally developed as an integer-factorization algorithm. Its core intuition also comes from the birthday paradox. Since the generated sequence resembles the Greek letter \(\rho\), the method is called rho.

Pollard’s rho for Integer Factorization

Integer factorization problem. Given a composite integer \(n = p \cdot q\), how do we recover a non-trivial factor \(p\)?

For Pollard’s rho factorization algorithm, the key idea is to define a function \(g(x)\) that generates a pseudorandom sequence. For example, one may choose the polynomial \(g(x) = x^2 + 1 \bmod n\). This generates the following finite sequence

where \(g^k\) denotes repeated composition, and we write \(x_k = g^k(x_0) \in \mathbb{Z}_n\). However, from the viewpoint modulo \(p\), the same sequence implicitly contains a subsequence:

which is a subsequence of \(\left\{x_k \bmod p\right\}\). If the chosen \(g(x)\) behaves randomly enough, then by the birthday paradox we expect a collision after about \(\mathcal{O}(\sqrt p)\) steps. This is illustrated by the point \(l_0\) in the figure below:

If the sequence values in Figure 1 are interpreted modulo \(p\), such a collision means that we have found

Since in practice we only see the sequence modulo \(n\), there is overwhelmingly high probability that

and therefore

reveals a factor of \(n\). However, during the sequence computation we cannot directly detect which values have collided; comparing against the whole previous sequence via repeated \(\gcd\) computations would be prohibitively expensive in both time and space. Therefore we need an efficient cycle-detection algorithm to assist Pollard’s rho.

A simple implementation of Pollard’s rho is shown below:

# sage
def rho(n):
    # Pollard's rho method
    c = int(10)
    a0 = int(1)
    a1 = a0^2+c
    a2 = a1^2+c
    while gcd(n,a2-a1) == 1:
        a1 = (a1^2+c) % n
        a2 = (a2^2+c) % n
        a2 = (a2^2+c) % n
    g = gcd(n,a2-a1)
    return [g,n//g]

Pollard’s rho for Hash Collisions

Now move to the hash-collision setting. The pseudorandom sequence is generated by a hash function \(\mathcal{H}: \{0,1\}^{*} \mapsto \{0,1\}^n\), or by a composed map \(\mathcal{H}^{+} = \mathcal{H} \circ \mathcal{R}\). For simplicity, let the initial value be \(x_0\), and denote the update rule by \(x_{i+1} = H(x_i)\). In Figure 1, the cycle contains \(n+1\) points; let \(N = n + 1\).

Again, the pseudorandom sequence \(\{x_k\}\) collides after about \(k = \mathcal{O}(2^{n/2})\) steps, after which it enters a cycle. We use Floyd’s cycle-detection algorithm. Assume that the fast and slow sequences meet at point \(i\). At that moment, the slow sequence must still lie before the end of the first cycle traversal, so the number of sequence computations satisfies \(i \le l_0 + n\), and we have:

It follows that \(k = \lceil \frac{l_0}{n} \rceil\). At this point, the two sequences meet at node \(i\), but this is not necessarily the collision point itself. We therefore want to continue until reaching \(l_0\). A useful observation is that the distances \(0 \rightarrow l_0\) and \(i \rightarrow l_0\) are equal modulo \(N = n + 1\). Indeed:

Thus

Starting from point \(i\), the subsequent point sequence lies on a cycle of length \(N\). Therefore \(0 \rightarrow l_0\) and \(i \rightarrow l_0\) both reach \(l_0\) in exactly \(l_0\) slow steps. This lets us recover the two points \(x_{l_0 - 1}\) and \(x_{l_0 + n}\) that collide under the hash, with collision value \(x_{l_0}\).

Floyd’s algorithm is an efficient cycle-detection algorithm. Moreover, once the meeting point is known, it can quickly locate the actual collision point. This is why it is widely used across many cryptographic algorithms.

Pollard’s lambda

Although Pollard’s rho for hash collisions reaches the birthday-paradox bound and uses only constant memory, it does not admit linear speed-up under parallelization. On the other hand, the naive birthday-paradox method has enormous memory overhead in parallel and still does not behave well with respect to linear acceleration. So is there an algorithm that parallelizes nearly linearly while keeping memory usage low? Quisquater and Delescaille answered this question in the context of DES collision search by introducing Distinguished Points.

Distinguished-Point Collision Search

The DP collision algorithm then proceeds as follows, with distinguished-point parameter \(k\) fixed in advance:

1. Randomly choose a start point \(S_i\), compute the hash sequence until a distinguished point \(D_i\) is reached, and store the DP chain \((S_i, D_i, L_i)\), where \(L_i\) is the chain length.
2. Repeatedly choose different start points and generate such DP chains until two chains end at the same distinguished point \(D_i = D_j\).
3. For two colliding chains \((S_i, D_i, L_i), (S_j, D_j, L_j)\), first advance the longer chain until the two remaining lengths match, then advance both chains together and test whether a real hash collision appears. If no collision is found, discard the shorter chain and return to step 1.

Figure 2 illustrates a collision structure arising in DP-based search. There, \(\mathcal{H}(x_1) = \mathcal{H}(x_2) = x_c\). The two chains share the same distinguished point but originate from different start points, which is what makes the collision possible. When the algorithm detects that the two chains in Figure 2 end at the same DP, the SP1 chain is longer than the SP2 chain by one step. Thus SP1 first performs one hash evaluation, after which SP1 and SP2 are advanced simultaneously, and the collision is then detected at \(x_1, x_2\).

If, after advancing SP1, it overlaps entirely with the SP2 chain, then this is only a pseudo-collision and the shorter chain is discarded. This situation is called the Robinhood Case, shown in Figure 3:

Time-Space Trade-off

The time-space complexity of the Distinguished-Point collision algorithm depends heavily on the distinguished-point difficulty parameter. This notion is analogous to the difficulty parameter used in Bitcoin mining. Let the difficulty parameter be \(k\), meaning that the hash must begin with \(k\) leading zeros.

This is the idealized analysis, ignoring exceptional situations such as the Robinhood Case. In practice, if \(k\) is too small, the space complexity becomes large. If \(k\) is too large, pseudo-collisions of the Robinhood type occur frequently, which increases the running time. Therefore the choice of difficulty parameter \(k\) is crucial for the Distinguished-Point method.

It is worth emphasizing that with a suitable choice of \(k\), the Distinguished-Point algorithm can keep the time complexity close to \(2^{n/2}\), avoid severe memory pressure, and still maintain essentially linear speed-up on multi-core hardware. For example, when \(n = 64\) and we choose \(k = 24\), the time complexity is \(\mathcal{O}(2^{32})\) and the memory complexity is \(\mathcal{O}(2^{8})\), which makes parallel linear acceleration practical. Below are the author’s experimental results for finding collisions on the lower 64 bits of SHA-256:

• 4 cores (with PRNG seed 0x123456789abcdef0)

  Two DP chains collided with dp mask=ffffff
  Number of chains find: 393
  diff = 11897207
  Looking for collision...
  Collision found! with 4 cores
  333412288b678e3b ff7cb8a664c810e3
  962860fc377014f1 962860fc377014f1
    
  real    1m17.441s
  user    5m9.708s
  sys     0m0.020s
  

• 8 cores (with PRNG seed 0x123456789abcdef0)

  Two DP chains collided with dp mask=ffffff
  Number of chains find: 409
  diff = 11897207
  Looking for collision...
  Collision found! with 8 cores
  333412288b678e3b ff7cb8a664c810e3
  962860fc377014f1 962860fc377014f1
    
  real    0m45.683s
  user    6m5.344s
  sys     0m0.011s
  

The above experiments use an efficient C++ implementation of the DP collision algorithm adapted from the HITCON 2023 Collision challenge.

These results are broadly consistent with linear acceleration. Theoretically, the expected number of DP chains is \(2^8 = 256\), while the observed value is around 400. This is because the birthday-paradox estimate \(\mathcal{O}(1.117 \cdot 2^{n/2})\) corresponds to the point where the collision probability is just slightly above 50%.

哈希碰撞问题（第二原像攻击）是一个基础性的密码学问题，其几乎贯彻了整个密码学体系。本文介绍的通用哈希碰撞算法分为下面三类：

生日悖论碰撞算法

经典生日悖论。 一个经典的问题：在一个有 365 天的年份中，需要多少个人才能使得至少两个人有相同生日的概率超过 50%？在完全随机的情况下，理论值是 23 ，这比直觉上要少得多。

考虑一般化的版本：给定 \(k\) 个人，至少有两个人同一生日的概率是多少？在 \(k > 365\) 时，由容斥原理，这个概率为 1。进一步地，给定一个大小为 \(N\) 的集合（比如哈希函数输出空间），随机选择 \(k \le N\) 个集合内的值（有放回抽取），至少有两个相同值的概率记为 \(\Pr\left(\text{coll}\right)\)。令 \(\Pr\left(z=0\right)\) 代表所有选择的值均互异，则 \(\Pr\left(\text{coll}\right) = 1 - \Pr\left(z=0\right)\)，其中：

因此有两个相同值的概率（即碰撞）是：

对于生日悖论问题，只要 \(k \ge 23\)，这个概率就超过了 50%。这比大多数人预期的要少得多。一般地，当 \(k\) 相对于 \(N\) 较小时，使用近似公式有：

对于输出比特长度为 \(n\) 的哈希函数，得到

这意味着，利用生日悖论，我们需要计算 \(\mathcal{O}(2^{n/2})\) 个随机的哈希值，就有很大概率得到碰撞。

Pollard’s rho 算法

Pollard’s rho method 最初是整数分解中的一类算法，其核心原理也是 Birthday Paradox。因其生成序列的性质酷似希腊字母 \(\rho\)，故而得名 rho。

整数分解的 Pollard’s rho 算法

整数分解问题. 给定一个合数 \(n = p \cdot q\)，如何找到它的一个非平凡因子 \(p\)？

对于整数分解的 Pollard’s rho 算法，核心在于定义一个函数 \(g(x)\) 用于生成伪随机数序列，例如我们取一个多项式 \(g(x) = x^2 + 1 \bmod n\)。这会生成下面的有限序列

其中 \(g^k\) 代表映射复合，记 \(x_k = g^k(x_0) \in \mathbb{Z}_n\)。但是，如果我们从模 \(p\) 的视角来看，同样上述序列其实隐藏了一个子群序列：

其是 \(\left\{x_k \bmod p\right\}\) 的子序列。如果我们选取的 \(g(x)\) 足够随机，根据生日悖论，我们大概会在 \(\mathcal{O}(\sqrt p)\) 后找到碰撞。如下图 \(l_0\) 所示：

如果图 1 中序列值代表的是模 \(p\) 的序列，这样的碰撞代表着我们寻找到了 \(g(x_{l_0- 1}) = g(x_{l_0 + n}) \bmod p\)。由于我们只有模 \(n\) 的序列，因此有极大概率在模 \(n\) 的序列下 \(g(x_{l_0- 1}) \ne g(x_{l_0 + n}) \bmod n\)，于是

即可分解 \(n\)。但是，值得注意的是，在计算序列时无法直接判断哪个值发生了碰撞；如果需要和之前的序列进行逐次 \(\gcd\)，其时间和空间开销都非常巨大。因此我们需要一个高效的循环检测算法来辅助 Pollard’s rho 算法。

一个简单的 Pollard’s rho 算法如下：

# sage
def rho(n):
    # Pollard's rho method
    c = int(10)
    a0 = int(1)
    a1 = a0^2+c
    a2 = a1^2+c
    while gcd(n,a2-a1) == 1:
        a1 = (a1^2+c) % n
        a2 = (a2^2+c) % n
        a2 = (a2^2+c) % n
    g = gcd(n,a2-a1)
    return [g,n//g]

哈希碰撞的 Pollard’s rho 算法

迁移到哈希碰撞的场景，此时伪随机序列的生成函数为哈希函数 \(\mathcal{H}: \{0,1\}^{*} \mapsto \{0,1\}^n\)，或者某个复合哈希映射 \(\mathcal{H}^{+} = \mathcal{H} \circ \mathcal{R}\)。简便起见，初始值为 \(x_0\)，我们使用 \(\mathcal{H}\) 表示伪随机序列的生成函数：\(x_{i+1} = H(x_i)\)。图 1 中环有 \(n+1\) 个点，记 \(N = n + 1\)。

同样地，伪随机序列 \(\{x_k\}\) 会在 \(k = \mathcal{O}(2^{n/2})\) 处发生碰撞，之后进入循环。采用 Floyd 算法进行循环检测（cycle detection），假设在点 \(i\) 为 Floyd 快速序列和慢速序列的相遇点，在这一点相遇时，慢速序列一定处于第一次 cycle 结束之前，因此序列计算次数为 \(i \le l_0 + n\)，有如下关系：

容易得出 \(k = \lceil \frac{l_0}{n} \rceil\)。此时，\(i\) 点相遇，但是不一定发生碰撞，因此我们想要继续行进到点 \(l_0\)。一个有趣的观察是 \(0 \rightarrow l_0\) 和 \(i \rightarrow l_0\) 的距离一定是相等的（模 \(N = n + 1\) 意义下）。证明如下：

故而

以 \(i\) 点为起始点，后续点集序列将会是一个长度为 \(N\) 的循环，因此 \(0 \rightarrow l_0\) 和 \(i \rightarrow l_0\) 将会以相同的步数 \(l_0\) 达到 \(l_0\) 点（均慢速），从而检测得到 \(x_{l_0 - 1}\) 和 \(x_{l_0 + n}\) 两个点发生哈希碰撞，碰撞的哈希值为 \(x_{l_0}\)。

Floyd 算法是一种有效的循环检测算法（Cycle Detection），并且从相遇点（Meeting Point）能够快速定位到碰撞点（Collision Point），在许多密码学算法中都有非常广泛的应用。

Pollard’s lambda 算法

Pollard’s rho 哈希碰撞算法虽然时间复杂度满足生日悖论的界，并且只需要常量内存，但是它不能通过并行计算进行线性的加速；朴素的生日悖论碰撞并行的空间开销巨大，并且也很难满足线性的加速。那么是否存在一种算法，使得其在并行环境中能够线性加速，并且空间复杂度也不高呢？Quisquater 和 Delescaille 在寻找 DES 的碰撞时，就使用了 Distinguished Point 来辅助碰撞。

Distinguished Point 碰撞算法

于是 DP 哈希碰撞算法主要包含下面的步骤，预定义显著点参数为 \(k\)：

1. 随机选取一个初始点 \(S_i\)（start point），计算哈希序列，直至得到一个显著点 \(D_i\)，保存一条 DP 链 \((S_i, D_i, L_i)\)，其中 \(L_i\) 为长度信息。
2. 不断选取不同的初始点，寻找上述 DP 链，直到显著点发生碰撞 \(D_i = D_j\)，此时停止寻找 DP 链。
3. 选取发生碰撞的两条链 \((S_i, D_i, L_i), (S_j, D_j, L_j)\)，先对较长的链进行计算，直至剩余长度与另一条保持一致，之后两条链一起计算，检测是否出现哈希碰撞。如果没有碰撞，丢弃较短的链，继续回到第一步寻找其他的 DP 链。

图 2 是 DP 碰撞搜索中生成的碰撞示意图。图中 \(\mathcal{H}(x_1) = \mathcal{H}(x_2) = x_c\)，它们的显著点 DP 相同，但是位于不同的起点上，从而导致碰撞出现。检测到图 2 中 DP 相同的链出现时，由于 SP1 链比 SP2 链长 1，于是 SP1 首先进行 1 次哈希，此后 SP1 和 SP2 同时进行哈希，之后在 \(x_1, x_2\) 处检测到碰撞。

如果 SP1 链移动后发现与 SP2 链重合，则这是一次伪哈希碰撞，丢弃较短的链。这种情况被称为 Robinhood Case，如图 3 所示：

时间空间复杂度权衡

Distinguished Point 碰撞算法的时间空间复杂度，很大程度上与 Distinguished Point 的难度系数有关（Difficulty）。这里的难度系数定义和比特币挖矿算法的难度系数定义是一致的。记难度系数为 \(k\)：哈希值为前置 \(k\) 个 0。

这是理想分析下的结果，尚不考虑特殊情况如 Robinhood Case 的出现。实际上，如果 \(k\) 值取得太小，空间复杂度高；如果 \(k\) 选取得太大，会频繁出现 Robinhood Case 的伪碰撞，导致时间复杂度增加。因此难度系数 \(k\) 的选取对 Distinguished Point 算法非常关键。

值得指出的是，通过精心选取 \(k\)，Distinguished Point 算法既能保证时间复杂度基本在 \(2^{n/2}\) 附近，不是内存困难的，并且在多核并行下保持线性的加速。比如 \(n = 64\)，选择 \(k = 24\)，时间复杂度 \(\mathcal{O}(2^{32})\)，内存复杂度 \(\mathcal{O}(2^{8})\)，在此情况下可以进行线性加速的并行。下面是笔者对 sha256 的低 64 位进行碰撞的实验数据：

• 4 核（PRNG 的 SEED 为 0x123456789abcdef0）

  Two DP chains collided with dp mask=ffffff
  Number of chains find: 393
  diff = 11897207
  Looking for collision...
  Collision found! with 4 cores
  333412288b678e3b ff7cb8a664c810e3
  962860fc377014f1 962860fc377014f1
    
  real    1m17.441s
  user    5m9.708s
  sys     0m0.020s
  

• 8 核（PRNG 的 SEED 为 0x123456789abcdef0）

  Two DP chains collided with dp mask=ffffff
  Number of chains find: 409
  diff = 11897207
  Looking for collision...
  Collision found! with 8 cores
  333412288b678e3b ff7cb8a664c810e3
  962860fc377014f1 962860fc377014f1
    
  real    0m45.683s
  user    6m5.344s
  sys     0m0.011s
  

上述实验使用了来自 Hitcon 2023 Collision 赛题的一个高效 C++ 实现的 DP 碰撞算法。

上述结果基本符合线性的加速。理论上期望的 DP 链数目为 \(2^8 = 256\)，实际 400 左右略高，是因为生日悖论给出的估计 \(\mathcal{O}(1.117 \cdot 2^{n/2})\) 是碰撞概率刚好大于 50% 时的哈希次数。

说明: 基于椭圆曲线同源的密码方案曾经是 NIST 后量子密码标准化过程中一个很有希望的方向。NIST 在第二轮状态报告中将 SIKE 列入进入第三轮的 Alternate Candidate，之后在第四轮中也继续保留过 SIKE 这一候选。但 2022 年 Castryck 与 Decru 给出了对原始 SIDH 的高效密钥恢复攻击，传统 SIDH 今天已经不应再被视为可直接部署的安全方案。但是它的设计理念和数学结构仍然非常有启发性，尤其是对于理解基于 isogeny 的密码学构造，以及后续一些改进版本的设计思路，都具有重要的参考价值。

从此篇博客开始，本站点将使用 Agent（例如 Codex） 以及自定义的 博客 skill 来辅助博客发布，包括将本地的 Markdown 笔记进行自动转换和内容润色。此后也可能会在后续的博客中使用 Agent 来辅助生成部分内容，AI 生成的内容会明确声明。

背景知识

超奇异椭圆曲线

考虑定义在有限域 \(K= \mathbb{F}_q\) 上的椭圆曲线 \(E\)，其 Weierstrass 方程为：

超奇异椭圆曲线之间的同源具有丰富的结构，也是 SIDH 一类协议的基础。由于这类曲线的 Frobenius Trace 等于 0，则其阶为：\(\vert E(\mathbb{F}_p) \vert = p + 1\)，在更一般的扩域上，我们有 \(\vert E(\mathbb{F}_{p^2}) \vert = k(p + 1)\)，其中 \(k\) 通常为 \(p+1\)。

$j$-不变量

在椭圆曲线理论中，\(j\)-不变量（\(j\)-invariant）是一个重要的不变量，用于分类椭圆曲线。唯一标识一个椭圆曲线群同构类的值是 j-invariant。容易想象，椭圆曲线经过简单的平移或旋转之后，并不会改变其几何本质，因此曲线 \(E\) 和其经过简单几何变换得到的 \(E^\prime\) 是同构的，对应有限域上的点群也同构。能够唯一标识曲线同构类的代数量，就是 j-invariant。

正式代数定义如下。考虑曲线 \(E: y^2 = x^3 + ax + b \quad a, b \in K\)，其 j-invariant 为：

同源（Isogeny）

同源（Isogeny）是一类特殊映射，可以把一条椭圆曲线映射到另一条椭圆曲线。 \(j\)-不变量相同的曲线之间存在同构映射，而更一般的同源映射则连接了不同 \(j\)-不变量的曲线。

一般而言，这样的映射可以写成 \((x,y) \mapsto (f(x,y), g(x,y))\)。很多时候我们只写 \(x\) 坐标上的部分，因为 \(y\) 坐标的变化可以从 \(x\) 的变化推导出来。具体而言即 $(x,y) \mapsto (f(x), c \cdot f^\prime(x))$ ，其中 $c$ 是一个常数值。下面我们介绍非常常见的倍点映射，也是与同源密切相关的一个重要例子。

倍点映射

记 \(E_a: y^2 = x^3 + ax^2 + x\)，考虑最简单的自同态映射二倍点乘：

显然这不是一个同构，因为存在若干点使得上述映射的分母等于 0，即 \((0,0), (\alpha, 0), (1/\alpha , 0)\)，其中 \(\alpha ^ 2 + a \alpha + 1 = 0\)。换句话说，所有阶为 2 的点以及无穷远点 \(\mathcal{O}\) 都会映射到 \(\mathcal{O}\)。这四个元素构成二倍点映射的核（kernel），且满足：

其中三个非平凡元素恰好对应 3 个 2-torsion 子群的生成元。

同理对于三倍点乘映射：

存在 4 个点使得上述映射的分母等于 0，记它们的 \(x\) 坐标为 \(\beta, \delta, \zeta, \theta\)。这些坐标对应的 8 个点，再加上无穷远点 \(\mathcal{O}\)，一起构成三倍点映射的核空间，满足：

即 3-torsion 恰好由 4 个 3 阶循环子群组成。

更一般地，对于所有满足 \(\ell \nmid p\) 的倍点映射，\(\ell\)-torsion 都满足：

上面的二倍点和三倍点映射，其实都可以看作更一般的 isogeny 的特殊情况。

同源映射

同源的基本性质包括：

1. 核（Kernel）：同源的核是映射到零点的那些点的集合。
2. 度（Degree）：同源的度是函数域扩张的次数。度为 \(n\) 的同源称为 \(n\)-同源。
3. 复合：如果 \(\phi: E \rightarrow E^{\prime}\) 和 \(\psi: E^{\prime} \rightarrow E^{\prime \prime}\) 是同源，则 \(\psi \circ \phi\) 也是同源。

记核为 \(G\)，则通常也把像曲线记为 \(E^\prime = E/G\)。值得注意的是，椭圆曲线同源与其核 \(G\) 一一对应。给定一个核 \(G\)，我们都可以构造对应的同源映射；其显式构造可以参考 Vélu Formulas。这部分证明非常数学，细节可以参考：

• MIT Elliptic Curves: https://math.mit.edu/classes/18.783/2023/LectureSlides5.pdf
• Vélu’s Formulas for SIDH: https://www.mariascrs.com/2020/11/07/velus-formulas.html

同源示例

以二倍点映射为例，选取 \(G=\{\mathcal{O},(\alpha, 0)\}\) 和 \(E_a\)。根据 Vélu 公式，可以得到：

其中

以 \(\mathbb{F}_{431^2}\) 上的具体曲线为例：

其中 \((\alpha, 0) \in E_a\)，且 \(\alpha=350 i+68\)。代入上面的 2-isogeny，可以得到新的曲线：

对应的映射为：

同理，以三倍点映射为例，令 \(G=\{\mathcal{O},(\beta, \gamma),(\beta,-\gamma)\}\)。根据 Vélu 公式，有：

其中

如果点 \((\beta, \gamma)=(321 i+56,303 i+174)\) 在曲线 \(E_a: y^2=x^3+(208 i+161) x^2+x\) 上的阶恰好为 3，则可以得到一个具体的 3-isogeny，其 codomain 为：

同源映射函数为：

与只保留 j-invariant 的同构不同，这里的同源会把曲线送到另一条不同 j-invariant 的曲线上，因此两条曲线不再同构，而是同源（isogenous）。

代数性质

记 \(\phi: E \mapsto E^\prime\) 为一个同源，其核（kernel）为 \(G\)，度为 \(d = \vert G \vert\)。

对偶同源可以看作“某种意义上的逆”，但它的复合结果不是恒等映射，而是倍点映射。

上述第四个结论对 supersingular 曲线而言尤其重要。对于定义在 \(\mathbb{F}_{p^2}\) 上的超奇异曲线，通常都有：

因此可以得出一个非常关键的结论，所有的超奇异椭圆曲线都是同源的。以 \(\mathbb{F}_{431^2}\) 上的一条具体曲线为例：

其阶满足 \(\#E(\mathbb{F}_{431^2}) = 432^2\)，群结构为：

并且这条曲线满足：

从而有：

同源图

以 \(\mathbb{F}_{431^2}\) 上所有超奇异曲线的 j-invariant 构成的图为例，可以得到如下的 supersingular isogeny graph（共 37 类超奇异同源曲线）：

由于同源保持曲线阶不变，因此超奇异曲线在进行同源后，仍然会落到超奇异曲线集合中。于是当我们在这张图上做 \(\ell\)-isogeny 时，本质上就是在图上进行随机游走。

从这个角度看，SIDH 已经和传统 DH 有了某种相似性：Alice 和 Bob 从同一个起点出发，分别按照自己的私钥选择图上的路径，最后再利用对方公开出来的信息继续走向一个共同的终点。

对于每一条曲线 \(E\)，存在 3 个不同的 2-isogeny，因此理论上它最多可以通过 2-isogeny 到达 3 条不同 j-invariant 的曲线。于是我们得到如下结构：

除了 j-invariant 值为 \(0, 4, 242\) 的曲线外，其他所有顶点都有 3 条出边。而且这里的边默认都是双向的，因为对应同源 \(\phi: E \mapsto E^\prime\) 的对偶同源 \(\hat \phi: E^\prime \mapsto E\) 会提供返回的边。

同理，对于 3-isogeny 图，每个顶点会有 4 条出边：

有了这种图论直觉后，我们再看 SIDH 中有限域的选取。SIKE/SIDH 的标准选择是下面形式的素数：

其中 \(2^{e_A} \approx 3^{e_B}\)。更一般地，SIDH 也适用于 \(p = f2^{e_A}3^{e_B} - 1\) 的形式，但很多标准设置里直接取 \(f = 1\)。由于：

因此存在两个点 \(P, Q\)，它们的阶为 \(p_s = 2^{e_A}3^{e_B}\)，并构成整个椭圆曲线群的基。所有阶为 \(2^{e_A}\) 或 \(3^{e_B}\) 的点也都落在 \(E\left(\mathbb{F}_{p^2}\right)\) 上。 这也是为什么 SIDH 可以分别在 2-power 和 3-power torsion 上工作，并把 Alice 与 Bob 的计算放在同一条起始曲线中完成。选择 \(\ell = 2, 3\) 还有一个非常现实的原因：这两类小度同源都可以在 \(\mathbb{F}_{p^2}\) 上高效计算；如果选择更高阶的同源，通常就需要进入更大的扩域。

SIDH Protocol

有了上面的 supersingular isogeny graph 直觉之后，SIDH 的整体轮廓就已经比较清楚了。不过，在给出完整协议之前，先看一个“看起来像 DH、但其实不对”的朴素版本，会更容易理解真实 SIDH 为什么要引入辅助点。

朴素 SIDH

参考传统 DH 协议，一个最自然的想法是：选择私钥 \(s_a \in (0, 2^{e_A})\) 与 \(s_b \in (0, 3^{e_B})\)，然后让 Alice 和 Bob 分别按自己的私钥在图上走若干步。

标准 SIDH

设素数 \(p = 2^{e_A}3^{e_B} - 1\)，并固定一条初始超奇异椭圆曲线 \(E\)。下面给出更接近真实协议的版本。

SIDH 的正确性

SIDH 抽象到几何/图论上有着很明确的意义：即有向图的随机游走，从起点到终点的过程其实就是群作用(group action)，具体而言就是同源 isogeny，而同源的度决定了该随机游走的复杂性，即从某个确定的起点出发，不同的终点数目最大有多少。按照上述方式构造后，双方最终得到的曲线满足 \(j(E_{AB}) = j(E_{BA})\)，它们都对应于同一个类曲线 \(E /\left\langle S_A, S_B\right\rangle\)。更严格的证明可以在论文 pqc from supersingular elliptic curve isogenies 中找到。其核心等式是：

其中 \(\phi = E/ \left\langle P \right\rangle\)。

SIDH 选择的同源度数形如 \(p^e\)。当 \(p\) 很小时，这类同源可以在多项式时间内计算，复杂度近似为 \(O(ep)\)。这也是为什么协议特别偏爱 \(2\) 和 \(3\) 这两个小素数。对于比较大的素数阶 $p$ 的同源，目前计算同源的最优复杂度是 $O(\sqrt{p})$ （参考 velusqrt）。相比之下，更大素数阶的同源目前计算代价会明显更高。

下面从 kernel 的角度，解释为什么 SIDH 最终一定会得到相同的 j-invariant。

Useful references:

• Groth16 paper: On the Size of Pairing-based Non-interactive Arguments
• Awesome introduction to zk-snark: moonmath book

Preliminaries

Before start, the basic definitions of zero-knowledge proofs and zk-SNARKs are assumed to be known, especially for Rank-1 Constraint System (R1CS) and Quadratic Arithmetic Programs. For a brief introduction, please refer to my previous post: Notes on Formal Language and Generic Proof System. For beginners, moonmath book is highly recommended for learning the mathematical foundations and Groth16 protocol.

High-Level Process of Groth16. In Groth16, the claim or knowledge to be proven is typically represented as an arithmetic circuit, then reduced to a Rank-1 Constraint System (R1CS), and finally transformed into a Quadratic Arithmetic Program (QAP). This reduction allows the proof to be distilled into a single polynomial identity. In this post, we focus exclusively on the final polynomial proof, which constitutes the core of Groth16’s zero-knowledge property.

In the following sections, this post provides a detailed exposition of the three core sub-protocols of Groth16: the Setup Phase, the Prover Phase, and the Verifier Phase. It concludes by addressing several practical security considerations essential for implementation.

Setup Phase

The setup phase samples 5 random, invertible elements \(\alpha, \beta, \gamma, \delta\) and \(\tau\) from the scalar field \(\mathbb{F}_r\) of the protocol and outputs the simulation trapdoor \(\mathrm{ST}\) :

In the setup phase, we need to generate the following common reference string and remove the simulation trapdoor completely right after the setup phase.

The Prover Phase

We first recall that given \(QAP(R)=\left\{T \in \mathbb{F}[x],\left\{A_j, B_j, C_j \in \mathbb{F}[x]\right\}_{j=0}^{n+m}\right\}\) associated with our R1CS and a witness \(<W_1, \ldots, W_m>\) for an instance \(<I_1, \ldots, I_n>\), the knowledge proof of witness \(<W_1, \ldots, W_m>\) is performed as follows. We first compute the proving polynomial:

To be more precise, we split \(P_{(I ; W)}\) as three parts \(\mathcal{A}, \mathcal{B}, \mathcal{C}\):

Denote the degree of target polynomial \(T(x):=\Pi_{l=1}^t\left(x-m_l\right)\) as \(t\). By the definitions of QAP polynomials \(A, B, C, T\), if the witness \(<W_1, \ldots, W_m>\) is valid for an instance \(<I_1, \ldots, I_n>\), the polynomial \(P_{(I ; W)}\) has roots \((m_1, m_2, \ldots, m_{t})\) (which exactly correspond to the \(t\) equations in R1CS) and is hence divisible by \(T(x)\). This implies:

You can circle back to the $(Groth)$ equation after checking out the verifier phase, or keep it in mind as you follow the completeness proof. It’s the best way to grasp what’s actually happening under the hood of the Groth16 protocol. Doing this helps you see the bigger picture, rather than just grinding through a bunch of dry math only to realize at the end, ‘Oh, I guess the verifier’s pairing equation works.’

By the pre-computed CRS, the prover can evaluate \(P_{(I ; W)}(\tau)/ \delta\). We first note the all polynomials \(A_i, B_i, C_i\) are at most of degree \(t - 1\) since they are computed by Lagrange Interpolation on \(t\) points with x-coordinates \((m_1, \ldots, m_t)\). The degree of \(H(x)\) (\(h := \deg H \le t - 2 = \deg T - 2\)) is strictly smaller than that of \(T(x)\). Denote \(H(x)\) as:

Then:

The prover samples two random field elements \(r, t \in \mathbb{F}_{r}\) and computes the following curve points：

Note that all \(A_i, B_i, C_i\) are polynomials of degree less than \(t - 1\) and can be evaluated at \(\tau\) by the powers of tau. In practice, \(g_1^{A_i(\tau)}, g_1^{B_i(\tau)}, g_2^{B_i(\tau)}\) can be pre-computed. In other words, these points only need to be computed once, and can be made public and reused for multiple proof generations as they are consistent across all instances and witnesses.

Therefore, we have:

The final proof consists of only three elements:

Denote the three proof elements as \(\pi:=(\pi_A, \pi_B, \pi_C)\) in the following context. The correctness of the proof and details of verifying will be addressed in next section.

The Verification Phase

The verifier has the knowledge of \(A, B, C, T\), the public instance \(I_1, \ldots, I_{n}\) and the common reference string \(CRS_{\mathbb{G}_1}, CRS_{\mathbb{G}_2}\). The verifier computes:

Security Considerations

In this section, we briefly discuss some security issues of Groth16 in real-world scenarios.

The Extensibility Attacks

Given a valid proof \(\pi =(\pi_A, \pi_B, \pi_C)= (g_1^A,g_2^B,g_1^C)\), the verifying process only checks:

Therefore, for any \(x \cdot x^{-1} =1 \in \mathbb{F}_r\), we can forge/regenerate a new proof from the known valid proof:

from the pairing identity \(e(\pi_A^x, \pi_{B}^{x^{-1}}) = e(\pi_A, \pi_B)\). This property is known as ‘malleability’ makes it extremely easy to double spend a proof.

Essentially, an attacker can take an existing zero-knowledge proof and tweak it to generate a brand-new, valid one. In the world of blockchain, which is currently the primary use case for ZKPs, malleability is a deal-breaker. It’s a critical vulnerability that can pave the way for devastating issues like double-spending or double-voting attacks.

Forging Attack With Toxic Waste

When the simulation trapdoor \(\mathrm{ST}=(\alpha, \beta, \gamma, \delta, \tau)\) is leaked, one can forge a proof without a valid witness. This is a generic forging attack against the trusted setup zero-knowledge proof protocol.

In short, every single value within the simulation trapdoor must remain strictly confidential, making the security of the setup phase absolutely critical. We have to assume that the entity running this process is honest and trustworthy, which is often far too demanding for real-world applications. To make matters worse, a new setup is required for every single circuit. This is the predicament of Groth16: while it is mathematically elegant, the difficulty of guaranteeing a secure setup makes it quite cumbersome to deploy. These pain points are exactly what newer protocols like Plonk aim to solve by introducing more flexible setup procedures.

读博之后，已经很久没有认真记录过生活和旅程了。于是在年末的某天翻过了之前高中写下的诗集之后，细数惭愧，我决定写一些文字记录这一年。或许也是在 AI 浪潮的裹挟下，我想要保留一些生活的慢节奏，以此证明自己还是一个有温度的人类，而不是在规定好的工作流上孜孜不倦运转的智能体。

关于旅途和生活

好好生活，慢慢相遇。

旅行与演唱会

2025 年的旅行，年初二月份本来计划去日本参加 SECCON，签证办完之后，由于各种不让出国比赛的经典原因，只能作罢，继 2024 年 DEFCON 美签作废之后，又作废一份日签。幸运的是，抢到了黄老板（Ed Sheeran）二月份在杭州的演唱会门票，和朋友们一起去看了现场，算是弥补了一些遗憾。

第一次体验 Live Looping 的演唱会模式，黄老板一人一吉他撑起了整个舞台。不过没有舞美以及布景设计，确实有点素，所以有些人是吐槽诚意不够。不过现场气氛还是很不错的，黄老板唱功在线，而且几乎是全程弹唱了两个多小时，机能太顶了，作为十年老粉而言，我觉得还是很值的。

杭州回来之后就没出远门旅行了，不过演唱会倒还是去了不少，如下。

5 月份凤凰传奇在鸟巢的演唱会，和朋友试着抢票玩一玩，没想到还真的抢到了。八万人合唱的场景确实还是非常震撼的，不过中间有些 DJ 打碟的环节属于有点过于吵闹了，对心脏不太友好。

转眼间听许嵩已经十几年了，这次去许嵩的天津演唱会，也算是圆了小时候的一个愿望，但是不得不感慨这个男人看起来一点都没变老。 印象里面第一首歌是小学时候听的《断桥残雪》，即使放到现在这样的词曲水准也依旧不过时。不过，“过气歌手”许嵩的票怎么就这么难抢呢？许嵩的票我抢了好几轮，最后还是 lcy 学长帮忙才抢到的。

现场最多的还是紫色妹妹，不过有些是男妹妹？（雾）

想去看这场演唱会的原因是看了之前《乘风》里面美依礼芽几个比较出圈的现场，再加上很久没有感受二次元现场的氛围了，所以决定提升一下浓度？ 总体而言不算满意的一场演唱会，不过是主办方的问题，场地选择和音响效果都不太好，甚至票价都没有区分度，除了最前排，坐哪儿都是一样的。感觉有点儿被割韭菜的感觉。

自由的旅途

我梦寐以求，是真爱和自由。郑钧《私奔》

上面的图是 2025 年 7 月徒步东灵山的时候领队小姐姐拍的，这张图我给满分。 阔别已久的老同学 yhx 在北京实习，约了我去爬东灵山–北京最高峰。作为徒步小白，起初我是很抗拒的，想去更简单的北灵徒步路线。但是很庆幸 yhx 坚持要去东灵山，结果证明这是一次非常棒的徒步体验。

出发当天六点醒来看见门头沟暴雨蓝色预警心凉了一半，没想到雨后的东灵反倒是锦上添花。全程 12km 的徒步与 800m 的爬升，解锁 2303m 的东灵峰，以及名不虚传的京西阿勒泰高山草甸风光。

大风雾里爬山体验却难得很不错，上山的整体感觉就是走在云里。尽管峰顶视野极差，基本只能感受雾和狂风，但是震撼的是下山的时候雾刚好开始散开，透出阳光和远方的山脉，切实感受到云卷云舒，也是很难得地体验到登高的意义。不愧是京西阿勒泰，一切都很完美，只是有点费膝盖。

你要爱荒野上的风声，胜过爱贫穷与思考。陈鸿宇《途中》

8 月份的时候，又顺便去了一趟乌兰察布。草原的辽阔的确能够疗愈人心，天地阔远，荒野风声，盖过一切琐碎杂念，这里是特别适合放空和思考的地方。不管是湖泊草原还是荒野火山，都是逃离北京的嘈杂喧嚣生活的好去处。步履不停，途中所见，皆为风景。在乌兰察布的旅程中听着陈鸿宇的《途中》，这种契合的意境唯有在在慢慢行进的路上才能感之真切。

关于学术

25 年的不顺，主要来源于论文投稿，用坎坷离奇来形容也不为过，不过到了年末，一整年的努力付出终究还是有所收获。

今年的投稿历程只能说时运不济，第一篇工作投了 25 欧密，第一轮 review 看起来非常不错，一个明确的 accept，以及两个模糊的 weak accept 评价（实际有一个 weak reject），没想到 2025 年初一月底的最终轮被拒收，理由是技术创新性不够。随后，我就开启了 2025 年的三大密码顶会的拒稿流水线，后面相继投了美密会，亚密会，分数都在 borderline 附近，但都刚好有一个审稿人给 weak reject，拒稿理由也都相当主观，rebuttal 的作用感觉微乎其微。每次投稿都能碰到：

• 善良的正向审稿人
• 挑剔的负面审稿人
• 折衷的保守审稿人

可惜的是，每次善良的审稿人都没能斗过挑剔的审稿人，AC 貌似特别看重给低分的意见。但是幸运的是，不管是正向还是负面的意见，也都让我觉得这篇工作继续做下去是很有意义的，尤其是给高分的审稿人给了非常高的情绪价值（参考下图），在此特别致谢这些匿名审稿人。

7 月份亚密被拒之后，修改后加了一些新的想法和证明，篇幅也快到 60 页了，这已经不是一篇会议论文可以接受的长度了。于是我和合作的老师讨论之后，决定对论文做减法，事实证明，这是我 25 年最正确的明智之举。在 8 月到 10 月中旬，我改了整整两个半月的论文，每天都是打开 vscode 的论文 latex 目录，读写论文，实现代码以及润色论文，除此之外几乎没有做其他事情。算是完整地完成了两篇论文从 idea 到代码实现，写作到投稿的全过程。最后，第一篇工作继续投了EUROCRYPT 2026，第二篇投了密码学高性能实现的小顶会 CHES 2026。幸运的是第二篇 CHES 一次投稿就中了。虽然历经了一点曲折，今年也完成了博士的开题，正式成为了一位 PhD Candidate。

总之论文工作推进到这里，需要感谢很多人，比如两位合作的老师，以及孜孜不倦 push 我的 lcy 学长，还有帮忙推进论文实现的 suansuan。

论文投稿导致 25 年下半年很多目标都没来得及做，最可惜的是今年的 nsu-crypto 奥林匹克密码学竞赛刚好撞上了我论文的截稿日，还是没能填补去年没拿金牌的遗憾。

关于 CTF 比赛

今年参加 CTF 比赛，越来越明确地感觉到 CTF 的密码方向很快就要变成大模型的天下了，我估计也准备退役了。今年打得最投入和最有成就感的比赛是 CryptoCTF：我，debato 还有 suansuan 三个人把所有题 AK 了，最后拿了第二（总分并列第一）。这场比赛倒还是有很多趣事：邻近比赛前一天，由于以色列和伊朗的冲突升级，导致主办方（伊朗）不得不延后了这场比赛，这是第一次切实感受到国际局势的影响。 在我们参加 CryptoCTF 的时候，大模型还只是初露峥嵘，印象最深的是 gemini 给了一个谷歌的 sat/milp 求解工具 ortools，从而秒了一道卡了我们很久的题。

大模型展现统治力的最大转折点大概是今年9到10月左右，也就是 claude sonnet 4.5 模型发布的时间段，随后 codex 5.1 和 gemini 3 pro 出来之后，明显感觉到一般的密码学题目已经是从解题思路到代码实现都能 90% 外包给大模型了，剩下 10 % 就是人工的提需求和指方向。按照 suansuan 的说法就是：

现在的 CTF 竞赛很无聊了，整天都在与神明对话。

是的，当你问 C 神（ChatGPT）得不到答案，那你就去问 G 神（Gemini）。这些话并不是玩笑，因为后半年不论是国内还是国际的顶尖 CTF 比赛的密码赛题，大模型几乎能秒 90 % 的赛题，目前现阶段最好的通用模型 Gemini 3 Pro + 最强的编程 Claude Opus 4.5，只要愿意烧 token，不需要专门设计智能体，也能解绝大部分密码学题。如果再加一个有经验的密码手，估计 Crypto 方向一人就能顶之前五个人用，AI 提效恐怖如斯。举几个相当离谱的例子，2025 n1ctf 的一道论文题甚至可以在不需要知道论文的情况下，将代码喂给大模型，然后就能在思考几分钟的情况下，给你一个完整的 exp。最近 0ctf 的一道求四立方和的问题，也能让大模型学习一些现有论文和 stackoverflow 的相关讨论的情况下，给出一个可行的解法。起初以为这是一道简单题，后来才知道这题的 idea 在投一篇数学顶会。总之，随着大模型和 Agent 水平的提升，普通 CTF 密码赛题已经没有什么乐趣了。为在比赛中对抗大模型的使用（Anti-LLM），今年 RCTF 我出了两道 sagemath 的伪随机数生成器的题，这两题不太能被大模型秒了的原因在于代码审计的上下文很长，在没有人工审计的情况下 LLM 很难自己分析到 gmp 的源码。意外的是，这个二连题的唯二解，居然都是非预期解法，不过思路也很有意思。从赛后题解看来，基本这题只能用 LLM 辅助分析，不太能丢给 LLM 一把梭了。

这一年估计不会怎么打比赛了，其一是大模型崛起后，很多技巧性的题，论文题失去了乐趣，CTF 比赛和编程比赛之类的脑力竞赛，似乎已经被 LLM 逐渐杀死，AGI 时代会优化掉多少技术方向，还未可知，至少目前 Vibe Coding 已经杀死传统编程，学术研究范式更是瞬息万变。其二是我觉得设计一个 Agent 解题可能更有趣（打不过就加入），LLM 智能体和 AI 大幅提效已经是大势所趋。特别是学术方面（Vibe Research），当你有一个 idea 之后，设计一个 Agent 进行调研、扩展都是很有意思的工作，特别是给大模型一些领域 SOTA 的上下文工作，让大模型基于现有技术去提升性能，或尝试将其他领域的技术应用到新方向，都非常 promising。2025 可以称得上智能体元年，AI 智能体能力显著提升的一年，研究范式被不断冲击，比如如今的代码编写已经全面进入 Vibe Coding，编程似乎已经不再需要门槛了，我也确实该调整自己的研究思路和工作流了。恰好今年写年终总结，尝试使用了一下 Manus + Nano Banana Pro 的智能体做 PPT，只能说如今的 AI 提效能力，远超预期，比如下面的一页 PPT 仅仅通过一句 Prompt 即可在两分钟内生成：

根据 NeSE 官网 https://nese.team/awards/2025/ 的数据，总结 tl2cents 这一年的 CTF 比赛成绩，生成相关统计作为一页 PPT。

新的一年，毋庸置疑，研究和使用 LLM Agent 是绕不开的。另一方面，大模型出来了之后，数学的学习成本大幅下降，特别是借助 Gemini 优秀的推理能力，理解复杂的证明变得相对简单，回想起本科学机器学习的时候，各种凸优化和实分析最终劝退了我去研究 AI 底层的热情。2026 年，借助大模型补一些之前没能深究的数学领域，也在我的计划之中。希望这些立下的 flag 不会倒掉。

This is a test for bilingual blog support. You should see language toggle buttons below the title.

If you see this post in the main list, you should see the EN/CN badge.

This document demonstrates the various custom content blocks supported by the blog theme and how to use them. Every style includes source code examples and the actual rendered result.

1. Basic Blocks

Supports four basic state colors: Standard, Success, Info, Warning, Error.

HTML Syntax

Use <div class="*-block" markdown="1"> (Note that markdown="1" is required for processing internal MD content).

Source Example:

<!-- Normal/Default -->
<div class="neutral-block" markdown="1">
<div class="block-title">Neutral Block</div>
This is a default style block.
</div>

<!-- Success/Green -->
<div class="success-block" markdown="1">
<div class="block-title">Success Block</div>
Operation successful.
</div>

<!-- Info/Blue -->
<div class="info-block" markdown="1">
<div class="block-title">Info Block</div>
General information.
</div>

<!-- Warning/Yellow -->
<div class="warning-block" markdown="1">
<div class="block-title">Warning Block</div>
Warning message.
</div>

<!-- Error/Red -->
<div class="error-block" markdown="1">
<div class="block-title">Error Block</div>
Error or dangerous operation.
</div>

Rendered Result:

Liquid Tag Syntax

Use {% plain type title="..." %}.

Source Example:

{% plain success title="Liquid Success" %}
This is a block generated using Liquid tags.
{% endplain %}

{% plain error title="Liquid Error" %}
This is an error block generated using Liquid tags.
{% endplain %}

Rendered Result:

2. Academic Blocks

Supports common academic environment definitions: proof, theorem, lemma, proposition, definition, example, remark, note, solution.

Basic Usage (Default Block Title)

HTML Source:

<div class="theorem" markdown="1">
This is a theorem.
</div>

<div class="proof" markdown="1">
This is a proof.
</div>

Liquid Source:

{% theorem %}
This is a theorem (Liquid).
{% endtheorem %}

Rendered Result:

Inline Title Style

Add inline class or parameter.

Source:

<div class="proof inline" markdown="1">
Title and content are on the same line.
</div>


{% note inline %}
Note: This is a note with an inline title.
{% endnote %}

Rendered Result:

Custom Title

Use data-title attribute or title parameter.

Source:

<div class="lemma" data-title="Zorn's Lemma" markdown="1">
Every non-empty partially ordered set has a maximal element...
</div>


{% proposition title="My Proposition" %}
This is a proposition with a custom title.
{% endproposition %}

Rendered Result:

3. Collapsible Blocks

HTML Syntax (details & summary)

Source:

<details class="info" markdown="1">
<summary data-title="Click to expand details"></summary>
Here is the hidden detailed content.
</details>

Rendered Result:

Liquid Syntax (fold parameter)

Source:

{% example fold title="View Code Example" %}
```python
print("Hidden Code")
```
{% endexample %}

Rendered Result:

print("Hidden Code")

4. Code Block Enhancements

Supports adding titles, default fold states, and special styles to code blocks.

Code Blocks with Titles

Add {: title="..." } below the code block.

Source:

```python
def main():
    pass
```
{: title="main.py" }

Rendered Result:

def main():
    pass

Default Folded Code Blocks

Use fold="true" (default folded) or fold="open" (default expanded).

Source:

```javascript
// Long code folded
const bigFile = "...";
```
{: title="config.js" fold="true" }

Rendered Result:

// Long code folded
const bigFile = "...";

Semantic Color Code Blocks

Use type="..." parameter. Supports example (green), exploit (blue), error (red).

Source:

```bash
# This is a correct example
npm install
```
{: type="example" }

```c
// This is an exploit code
char buf[10];
strcpy(buf, input);
```
{: type="exploit" title="vulnerable.c" }

```bash
# This is an error operation
rm -rf /
```
{: type="error" }

Rendered Result:

# This is a correct example
npm install

// This is an exploit code
char buf[10];
strcpy(buf, input);

# This is an error operation
rm -rf /

Liquid Code Block Wrapper

Source:

{% code_block success fold title="Wrapped Code" %}
```python
print("Wrapped in Liquid")
```
{% endcode_block %}

Rendered Result:

print("Wrapped in Liquid")

这是一个双语博客的测试。你应该能在标题下方看到语言切换按钮。

如果在主页列表看到这篇文章，应该能看到 EN/CN 的标志。

本文档用于展示博客主题支持的各种自定义内容块及其使用方法。每种样式都提供了源码示例和实际渲染效果。

1. 基础提示块 (Basic Blocks)

支持四种基础状态颜色：Standard, Success, Info, Warning, Error。

HTML 语法

使用 <div class="*-block" markdown="1"> (注意 markdown="1" 对于处理内部 MD 内容是必须的)。

源码示例：

<!-- 常规/默认 -->
<div class="neutral-block" markdown="1">
<div class="block-title">Neutral Block</div>
这是一个默认样式的块。
</div>

<!-- 成功/绿色 -->
<div class="success-block" markdown="1">
<div class="block-title">Success Block</div>
操作成功提示。
</div>

<!-- 信息/蓝色 -->
<div class="info-block" markdown="1">
<div class="block-title">Info Block</div>
一般信息提示。
</div>

<!-- 警告/黄色 -->
<div class="warning-block" markdown="1">
<div class="block-title">Warning Block</div>
警告信息提示。
</div>

<!-- 错误/红色 -->
<div class="error-block" markdown="1">
<div class="block-title">Error Block</div>
错误或危险操作提示。
</div>

渲染效果：

Liquid 标签语法

使用 {% plain type title="..." %}。

源码示例：

{% plain success title="Liquid Success" %}
这是使用 Liquid 标签生成的块。
{% endplain %}

{% plain error title="Liquid Error" %}
这是使用 Liquid 标签生成的错误块。
{% endplain %}

渲染效果：

2. 学术与数学块 (Academic Blocks)

支持常见的学术环境定义：proof, theorem, lemma, proposition, definition, example, remark, note, solution。

基础用法 (默认换行标题)

HTML 源码：

<div class="theorem" markdown="1">
这是一个定理。
</div>

<div class="proof" markdown="1">
这是一个证明。
</div>

Liquid 源码：

{% theorem %}
这是一个定理 (Liquid)。
{% endtheorem %}

渲染效果：

行内标题样式 (Inline)

添加 inline 类或参数。

源码：

<div class="proof inline" markdown="1">
标题与内容在同一行。
</div>


{% note inline %}
注意：这是一个行内标题的 Note。
{% endnote %}

渲染效果：

自定义标题

使用 data-title 属性或 title 参数。

源码：

<div class="lemma" data-title="Zorn's Lemma" markdown="1">
每个非空偏序集都有一个最大元...
</div>


{% proposition title="My Proposition" %}
这是一个自定义标题的命题。
{% endproposition %}

渲染效果：

3. 可折叠块 (Collapsible Blocks)

HTML 语法 (details & summary)

源码：

<details class="info" markdown="1">
<summary data-title="点击展开详情"></summary>
这里是隐藏的详细内容。
</details>

渲染效果：

Liquid 语法 (fold 参数)

源码：

{% example fold title="查看代码示例" %}
```python
print("Hidden Code")
```
{% endexample %}

渲染效果：

print("Hidden Code")

4. 代码块增强 (Code Block Enhancements)

支持给代码块添加标题、默认折叠状态以及特殊样式。

带标题的代码块

在代码块下方添加 {: title="..." }。

源码：

```python
def main():
    pass
```
{: title="main.py" }

渲染效果：

def main():
    pass

默认折叠的代码块

使用 fold="true" (默认折叠) 或 fold="open" (默认展开)。

源码：

```javascript
// 长代码折叠
const bigFile = "...";
```
{: title="config.js" fold="true" }

渲染效果：

// 长代码折叠
const bigFile = "...";

特殊语义颜色代码块

使用 type="..." 参数。支持 example (绿), exploit (蓝), error (红)。

源码：

```bash
# 这是一个正确示例
npm install
```
{: type="example" }

```c
// 这是一个漏洞利用代码
char buf[10];
strcpy(buf, input);
```
{: type="exploit" title="vulnerable.c" }

```bash
# 这是一个错误操作
rm -rf /
```
{: type="error" }

渲染效果：

# 这是一个正确示例
npm install

// 这是一个漏洞利用代码
char buf[10];
strcpy(buf, input);

# 这是一个错误操作
rm -rf /

Liquid 代码块包装

源码：

{% code_block success fold title="Wrapped Code" %}
```python
print("Wrapped in Liquid")
```
{% endcode_block %}

渲染效果：

print("Wrapped in Liquid")

Challenge Setup

Let $p = 2^{21} - 9$ and $n = 6$. There are 3 main outer matrices if size $n \times n $:

The inner matrix $S$ is structured as:

We are going to recover the secret diagonal values of $S_0, S_1$: $(s_0, s_1, \cdots, s_{2n})$. When $S$ is resampled, only $q_1$ and $q_2$ are resampled. There are two oracles:

• Scratch: sample a random vector $k \in \mathbb{F}_p^{n}$ and leak three vectors:

  \[\begin{cases} r = A^{-1} \cdot k \\ s = k^T \cdot B^{-1} \\ t = C \cdot A \cdot k \text{ or } C \cdot B \cdot k \end{cases} \tag{SO}\]

  Consider a $2n$-bit mask $j$ with Hamming weight $n$, which determines the vector $t$. Specifically, if the $i$-th bit of $j$ satisfies $j_i = 1$, then $t_i = C \cdot A \cdot k$; otherwise, $t_i = C \cdot B \cdot k$. After $2n$ Scratch oracles, $A, B, S$ will be resampled.

• Whack: input $i, j, k$ and the server will increase $S_k[i][j]$ by one. This allows us to increase one element by one in static matrices $S_0, S_1$.

Recover $j$ and matrix product

We define one round as 12 calls to the Scratch oracle, during which $A, B, C$, and $S$ remain fixed. There are only $\binom{2n}{n} = 924$ possible values of $j$. Assuming that we have guessed the correct $j$, denote $R_0, S_0, T_0, K_0 \in \mathbf{GL}(\mathbb{F}_p, n)$ as the matrix spanned by $r_i,s_i, t_i, k_i$ with $j_i = 0$ and $R_1, S_1, T_1, K_1$ as the matrix spanned by $r_i,s_i, t_i, k_i \in \mathbf{GL}(\mathbb{F}_p, n)$ with $j_i = 1$ , respectively.

By equation (SO), we can learn that:

Thus, the following four matrices can be recovered:

Since $\det (M_2) = \det(M_3) \implies \det(R_0) \det(T_1) = \det(T_0) \det(S_1)$, we can use this equation to determine the correct value of $j$ and also the four matrices defined in equation (M).

Recover diagonal values $s_i$

Span equation $\det(M_2) = \det(T_0) / \det(R_0)$, we have:

The most crucial part of this problem lies in taking the Legendre symbol regarding $p$ denoted as $\textsf{leg}(\cdot)$ of both sides. This automatically eliminates all squared terms, which reveals information about the kernel $S$:

We will not discuss the case that for some $i$, $s_i = 0$ since it’s negligible. Denote $\ell_1 = \textsf{leg}\left(\prod_{1}^{n} {s_i}\right)$ and $\ell_2 = \textsf{leg}\left(\prod_{n+1}^{2n} {s_i}\right) $. Denote the round constant (the left side) as $d_i$ for round $i$. Define a good state as $\ell_1= 1$ and $\ell_2 = 1$. Such a good state can be detected when the round constant $d_i$ is always $1$.

Without the loss of generality, we assume the initial state is a good state denoted as $\mathcal{S}_0 = 1$ (and bad state denoted as $\mathcal{S}_0 = -1$). Let $m$ be the number of round trials. We can recover a secret diagonal value $s$ as follows:

This actually leaks a sequence of Legendre symbols $\left( \textsf{leg}(s), \textsf{leg}(s+1), \textsf{leg}(s+2), \textsf{leg}(s +3), \ldots \right)$ to us, which can be used to determine the unique value of original $s$. To be specific, we choose $M$ as the sequence length, slightly greater than $21$. Since $p = 2^{21} - 9$ is small, we can precompute all Legendre symbols for $x \in [0, p-1]$ in a table. By guessing the value of $\textsf{leg}(s)$, we have two candidates of Legendre sequence and only one matches the correct start point $s$.